MC-4913

ROOT CAUSE located (2026-06-10). The live worker-DONE->done close is NOT in the MC repo. It runs in the Hermes harness ~/.hermes: cron job 7fa17b6a8bad 'Luci MC board manager (controller-only)', mode=visibility-only-board-manager, with harvest/close logic across ~/.hermes/scripts/{mc_control_plane_watchdog.py, luci_ticket_watcher.py, mc_manual_repair_followup.py} + hermes-agent/cli.py. Close is an LLM judgment, not a deterministic commit gate -> root cause of the 59 false-dones. The MC-repo deterministic backstop (luci_operator.audit_recent_done_tickets, L555) is REACTIVE + skips _is_ops_scope/_controller_has_judged/reopen-cap -> leaks. FIX OPTIONS: (i) MC-repo only (lower risk): harden luci_operator auditor to deterministically reopen ANY code-ticket marked done with no verified commit SHA, dropping the controller-judged/scope skips. (ii) Hermes harness (preventative, stronger): add a deterministic commit-verify gate in the Hermes close path before status->done. (ii) touches a sensitive live core system -> awaiting Elmar scope confirmation.

PRECISE ROOT CAUSE (corrected per Elmar: orchestrator MUST stay the reviewer/closer — this hardens its gate, does not replace it). The close gate ALREADY EXISTS in the MC repo: models.unmerged_work_gate_block_reason (models.py:3175), routed via update_ticket (L3337), alongside mobile_visual_gate_block_reason (L3047). It blocks done when the worker branch isn't merged to origin/master. THE HOLE: it FAILS OPEN — 'if not ref: return None' (allow) and any git error returns None (allow). So a worker that emits DONE having created NO branch/commit -> no ref -> gate allows done. That is exactly the 13 hard false-dones (DONE with no commit in any branch). FIX (MC repo only, no Hermes edit, design preserved): 1. Add _ticket_expects_commit(ticket) predicate (true for code/dev tickets: code project OR had a dev-loop worker/runtime_session; false for life/admin/data captures). 2. In the done close path: for tickets where _ticket_expects_commit is true AND there is no verified-LANDED commit (resolvable ref merged to master, done_sha that git rev-parse/cat-file confirms exists), BLOCK done with reason 'no_verified_landed_commit'. Fail-CLOSED for code tickets; keep fail-OPEN only for genuine git-unavailable + for non-code tickets (life items close freely). 3. Verify the gate is invoked on ALL close paths (update_ticket done transition, api_update_ticket PATCH L9027, board-v2 status POST L3267, life/done L3850) — close any bypass. 4. (service tickets) also require the deploy-verify flag before done. Blast radius = universal close path -> implement under dev-loop with TESTS (life ticket still closes; code ticket w/o landed commit blocked; git-unavailable fails open) + careful deploy+verify before done. Next focused step.

CLOSED done + verified (orchestrator gate). Worker commits 5078b0b+be8a134 (kanban worktree) reviewed by independent code-reviewer agent: verdict LAND-WITH-FIXES. Verified before landing: fail-closed trace correct (code ticket + no commit -> missing_landed_commit_proof BLOCK); all 6 close paths covered (update_ticket, api PATCH, board-v2 POST, workflow action, life/done, luci_operator); migration idempotent, no version-bump risk. Test attribution: 33 failures in worst files byte-identical pre/post -> ZERO new regressions (repo has ~180 pre-existing failures, logged as separate debt finding). Landed: cherry-picked to master as 6677418 + a36410a, plus orchestrator fix for review issue #3 (unknown projects need worker evidence before commit-proof gate — Life-ticket 'Fix:' titles no longer blocked) with 4 regression tests. DEPLOY-VERIFIED: luci-dashboard restarted; 4 trust columns live in mc.db; synthetic live test MC-4922: code ticket -> done returned 422 missing_landed_commit_proof, then cancelled. The 13-hard-false-done hole is closed in production. Follow-ups noted: (i) luci_operator direct-SQL close path is gate-correct but duplicated — refactor to models.update_ticket later; (ii) cherry-pick landings: orchestrator must stamp done_sha with landed master SHA (done here); (iii) pre-existing TOCTOU on concurrent status updates — pre-dates 4913. done_sha: a36410a692210f197581d7eaf038a882e5ffc187, verified=true, deploy-verified=true.

[visibility-only board-manager] Routed this Luci-owned critical hardening ticket to internal Kanban card t_529b8837 in isolated worktree `/home/lucienne/workspace/state/kanban-worktrees/mc-4913-close-gate`. Initial claudebuilder launch hit Anthropic extra-usage HTTP 400, so I reclaimed/reassigned the same card to codexbuilder and verified the replacement worker is running as task_run 222, PID 303696, with `/proc` cwd matching the isolated worktree. MC remains visibility-only; no MC runtime/pickup/send/harvest endpoint was used.

[visibility-only board-manager] Rejected the first codexbuilder handoff for MC-4913 because it stopped at inspection-only mapping. Added an explicit implementation authorization to the same internal Kanban card, unblocked it, and verified a replacement run is active as task_run 225 / PID 316325 in the isolated worktree `/home/lucienne/workspace/state/kanban-worktrees/mc-4913-close-gate`. MC remains parked as waiting / kanban_active:t_529b8837.

[visibility-only board-manager] Controller gate completed for MC-4913. Cherry-picked worker close-gate hardening onto master as 6677418 + a36410a, pushed to origin/master, ran 250 focused tests (test_board_v2, test_mc4681_merge_invariant, test_mc4207_phase3_evidence, MC-4914/4916 regressions), reloaded gunicorn with HUP, and verified /api/health, /api/v1/tickets?limit=1, and /board return 200. Repaired the ticket row from waiting/kanban_active to done; no MC runtime/pickup/send/harvest endpoint was used.