MC-4979

CLOSED done + verified. Deterministic kanban close gate LIVE (hand-executed in persistent session — never dispatch a gate-fix into the pipeline being gated). IMPLEMENTATION (design choice: NO Hermes-core edits — upstream checkout with update cron; both changes are local files): 1. ~/.hermes/scripts/luci_kanban_watchdog.py (15-min cron e105f9bb): new deterministic check — done card whose branch has zero commits beyond master AND no 'no_code_rationale:' opt-out comment -> flipped to ready ONCE with rejection comment; repeat commit-less close -> escalates to orchestrator inbox, never re-flips (circuit breaker). Fail-open on undeterminable git state. Fixed a state-wipe bug in _write_state (would have re-flipped forever) and a self-trap (rejection comment contained the opt-out marker — now prefix+author matched). 2. kanban-orchestrator SKILL: every implementation card now carries standing first-dispatch authorization verbatim + the no_code_rationale contract (codexbuilder recon-stop recurred 3x with wording absent). TESTED: 3-scenario subprocess harness (flip once / no re-flip + escalate / post-rejection opt-out honored) + live smoke (exit 0, zero spurious flips, only known blocked card flagged). 27 existing done cards grandfathered so the gate applies only to future closes. Artifacts: workspace commits a56d2fab + d7c456ba (file backups in state/hermes-config-backup-20260611/ since ~/.hermes is unversioned), manifest row added (was missing entirely — pre-existing gap). done_sha d7c456ba, verified=true. The kanban layer now has what MC-4913 gave the MC layer: done means committed.

[visibility-only controller] Routed this Luci-owned Kanban close-gate fix to internal Kanban card `t_3b345474` on board `mc-internal` (assignee=codexbuilder) in isolated Hermes Agent worktree `/home/lucienne/workspace/_mc_internal_worktrees/MC-4979-kanban-close-gate/hermes-agent`. Dispatch verification: status `running`, run `280`, pid `2079424`, cwd `/home/lucienne/workspace/_mc_internal_worktrees/MC-4979-kanban-close-gate/hermes-agent`. MC remains a dumb ledger; no MC pickup/runtime/send/harvest endpoint was used.

[visibility-only controller] Rejected/consumed internal Kanban parent `t_3b345474` as an incomplete terminal handoff: its run summary said inspection-only/no edits, but the isolated worktree contains dirty implementation WIP and no committed review handoff. Routed continuation to internal Kanban card `t_d52dd953` in the same isolated worktree `/home/lucienne/workspace/_mc_internal_worktrees/MC-4979-kanban-close-gate/hermes-agent` (assignee=codexbuilder). Verified replacement worker is running as run 281, pid 2088652, cwd matches the isolated worktree. MC remains visibility-only; no MC pickup/runtime/send/harvest endpoint was used.

[visibility-only controller] Consumed internal Kanban review-required parent `t_d52dd953` into child `t_0700f185` for independent review/landing in the same isolated Hermes Agent worktree. Parent is marked done as handoff-consumed, not as MC acceptance. MC remains waiting on `kanban_active:t_0700f185`; no MC pickup/runtime/send/harvest endpoint was used.

[visibility-only controller] Routed next bounded internal Kanban lane `t_26bcaf7c` for landing_gate_for_t0700. Verification: status `running`, run `286`, pid `2115756`, cwd `/home/lucienne/workspace/_mc_internal_worktrees/MC-4979-kanban-close-gate/hermes-agent`. MC remains a dumb ledger; no MC pickup/runtime/send/harvest endpoint was used.

[visibility-only controller] Internal Kanban card `t_26bcaf7c` is blocked at the landing step, not at implementation/review: codexbuilder rebased the approved MC-4979 fix onto `origin/main`, reran the focused Kanban/dashboard tests (7+2+2 passed), and left a clean local branch `kb/MC-4979-kanban-close-gate` ahead of `origin/main` by commits `71acb804c` and `86b01e310317d890480684c0b2cb50bdaaf0d078`. The only blocker is GitHub write auth on this host (`gh` not logged in; SSH deploy key is read-only), so MC is parked with CTA: push `HEAD:main` from `/home/lucienne/workspace/_mc_internal_worktrees/MC-4979-kanban-close-gate/hermes-agent` using an authorized GitHub identity, then verify remote `main` at `86b01e310317d890480684c0b2cb50bdaaf0d078` or equivalent landed SHA. No MC pickup/runtime/send/harvest endpoint was used.

[visibility-only controller] Reconciled stale status for MC-4979. The row was still `waiting` on the earlier GitHub-write blocker, but later system evidence in comment 24501 records `CLOSED done + verified`: the deterministic Kanban close gate is live via the local watchdog/skill path, tests passed, and `done_sha d7c456ba` was recorded. Verification note: d7c456ba resolves to d7c456baf03277d638b2fbc3897a66980f1006a7 in /home/lucienne/workspace. Clearing stale `waiting_on_github_write_credentials` metadata and closing the ticket; no MC pickup/runtime/send/harvest endpoint was used.

[visibility-only controller] Cleaned up stale internal Kanban card t_26bcaf7c after MC-4979 was already terminal done. Reclaimed the duplicate running worker and marked the card done as controller cleanup; no MC runtime/pickup/send/harvest endpoint was used.

[visibility-only controller correction] Follow-up verification showed internal Kanban card t_26bcaf7c had already reached done before the reclaim/complete cleanup commands could apply (both returned no-op terminal/not-running messages). Current verified state: t_26bcaf7c status=done, worker_pid cleared; no live duplicate worker remains.