Release DeployBot v0.2.13 with stale-handoff protection

README.md

@@ -11,11 +11,11 @@ integration PRs, follows `main` through production, and pauses after failures.
 
 ## Install
 
-Install the reviewed `v0.2.12` source commit directly from GitHub:
+Install the reviewed `v0.2.13` source commit directly from GitHub:
 
 ```bash
 python3 -m pip install \
-  'deploybot-merge-queue[mcp] @ git+https://github.com/Forward-Future/DeployBot.git@01c8c6e48c3a92155803cd4232b56b0c1d3363c2'
+  'deploybot-merge-queue[mcp] @ git+https://github.com/Forward-Future/DeployBot.git@992048a90e1db410b9197fe056c591d91c1b2019'
 deploybot init
 ```
 
@@ -95,7 +95,7 @@ worker can dispatch deployment when GitHub suppresses the `workflow_run` event
 for token-dispatched CI. Pin the Action to the full reviewed release commit:
 
 ```yaml
-- uses: Forward-Future/DeployBot@01c8c6e48c3a92155803cd4232b56b0c1d3363c2
+- uses: Forward-Future/DeployBot@992048a90e1db410b9197fe056c591d91c1b2019
 ```
 
 The Action uses GitHub's built-in workflow token. GitHub intentionally does not
@@ -190,6 +190,14 @@ deploybot resume <pr-number>
 and emits a new wake-up event. `follow` tracks newer cumulative `main` revisions
 until exact CI, deployment, and optional HTTP checks pass. A CI or deploy failure
 can pause further merges until `deploybot unpause`.
+Before presenting an unpause request, adapters must refresh `deploybot status
+--json` and suppress stale prompts when the durable controller is already
+running or the release advanced. The original deploy instruction authorizes the
+coordinator to unpause the matching failed release after its elected repair
+head passes fresh checks and review. Pass that status result's failed main SHA
+and unique `control_id` to `deploybot unpause --sha SHA --control-id ID` so a
+concurrent newer pause remains authoritative. Rollback,
+bypass, and mismatched recovery still require explicit user direction.
 
 Before starting an exact-main recovery, an agent runs
 `deploybot claim-release-repair --provider CLIENT --thread-id ID`. A
@@ -323,7 +331,7 @@ deploybot integrate [--all]
 deploybot follow [--timeout SECONDS] [--poll SECONDS] [--json]
 deploybot metrics --json
 deploybot pause --reason "main CI failed"
-deploybot unpause
+deploybot unpause --sha FAILED_MAIN_SHA --control-id PAUSE_CONTROL_ID
 deploybot block [PR] --reason "..."
 deploybot unblock [PR]
 deploybot resume [PR]

adapters/claude-code/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "deploybot",
-  "version": "0.2.12",
+  "version": "0.2.13",
   "description": "DeployBot: a provider-neutral GitHub merge queue for coding agents",
   "author": {
     "name": "DeployBot contributors"

adapters/claude-code/.mcp.json

@@ -4,7 +4,7 @@
       "command": "uvx",
       "args": [
         "--from",
-        "deploybot-merge-queue[mcp] @ git+https://github.com/Forward-Future/DeployBot.git@01c8c6e48c3a92155803cd4232b56b0c1d3363c2",
+        "deploybot-merge-queue[mcp] @ git+https://github.com/Forward-Future/DeployBot.git@992048a90e1db410b9197fe056c591d91c1b2019",
         "deploybot-mcp"
       ]
     }

adapters/claude-code/skills/deploybot/SKILL.md

@@ -79,6 +79,21 @@ Use `diagnose`/`deploybot doctor` for setup drift and `delivery_metrics` for p50
 p95, and slow-stage evidence. A failed cumulative CI or deployment pauses the
 controller; only a designated coordinator may unpause after recovery.
 
+Immediately before telling the user that the pipeline is paused or asking them
+to `unpause`, re-read `pipeline_status` or run `deploybot status --json`. Treat
+that fresh durable state as authoritative. If the controller is already
+running or the release has advanced, do not repeat a stale action request;
+continue coordinating or report the current gate.
+
+The original `deploy` instruction already authorizes a designated coordinator
+to run `deploybot unpause --sha <failed-main-sha> --control-id <control-id>`
+for the matching failed release when the elected repair head has fresh
+required checks and review, the pause reason still names that release, and no
+rollback or gate waiver is involved. Revalidate status, unpause, then continue
+the merge and release without asking for another user message. Ask the user
+only when recovery is unresolved, ownership or SHA does not match, or the next
+step requires a rollback, bypass, or expanded authority.
+
 Before opening or editing an exact-main recovery PR, call
 `claim_release_repair` with the native provider and thread ID. Work only when it
 returns `owned`, using its deterministic branch. If it returns `claimed`, the

adapters/claude-code/skills/manage-merge-queue/SKILL.md

@@ -29,6 +29,15 @@ returned `owned` thread may use the deterministic repair branch. Respect the
 maximum batch size and keep new merges closed while an earlier release is
 unfinished.
 
+Immediately before asking the user to `unpause` or take another repair action,
+call `pipeline_status` again. Never show a stale pause prompt when durable state
+is already `running` or the release has advanced. The original `deploy`
+instruction authorizes the coordinator to unpause the matching failed release
+after the elected repair head passes fresh checks and review, provided the pause
+reason still matches and no rollback or gate waiver is needed. In that case,
+run `deploybot unpause --sha <failed-main-sha> --control-id <control-id>` and
+continue without asking the user to repeat authorization.
+
 When `follow_release` returns `thread_notifications`, send each supplied
 message to its native source thread. The source thread calls
 `acknowledge_thread_deployment` with the matching `notification_id`. Present the

adapters/codex/agent-merge-queue/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "deploybot",
-  "version": "0.2.12",
+  "version": "0.2.13",
   "description": "Coordinate exact-head pull requests through verified deployment and thread notification",
   "author": {
     "name": "DeployBot contributors"

adapters/codex/agent-merge-queue/skills/deploybot/SKILL.md

@@ -76,6 +76,21 @@ Use `deploybot doctor --json` for setup drift and `deploybot metrics --json` for
 p50, p95, and slow-stage evidence. A failed cumulative CI or deployment pauses
 the controller; only a designated coordinator may unpause after recovery.
 
+Immediately before telling the user that the pipeline is paused or asking them
+to `unpause`, run `deploybot status --json` again. Treat that fresh durable
+state as authoritative. If the controller is already running or the release
+has advanced, do not repeat a stale action request; continue coordinating or
+report the current gate.
+
+The original `deploy` instruction already authorizes a designated coordinator
+to run `deploybot unpause --sha <failed-main-sha> --control-id <control-id>`
+for the matching failed release when the elected
+repair head has fresh required checks and review, the pause reason still names
+that release, and no rollback or gate waiver is involved. Revalidate status,
+unpause, then continue the merge and release without asking for another user
+message. Ask the user only when recovery is unresolved, ownership or SHA does
+not match, or the next step requires a rollback, bypass, or expanded authority.
+
 Before opening or editing an exact-main recovery PR, run
 `deploybot claim-release-repair` with the native provider and thread ID. Work only when it
 returns `owned`, using its deterministic branch. If it returns `claimed`, the

adapters/codex/agent-merge-queue/skills/manage-merge-queue/SKILL.md

@@ -30,6 +30,16 @@ only the returned `owned` thread may use the deterministic repair branch. Respec
 maximum batch size and keep new merges closed while an earlier release is
 unfinished.
 
+Immediately before asking the user to `unpause` or take another repair action,
+run `deploybot status --json` again. Never show a stale pause prompt when
+durable state is already `running` or the release has advanced. The original
+`deploy` instruction authorizes the coordinator to run `deploybot unpause
+--sha <failed-main-sha> --control-id <control-id>` for
+the matching failed release after the elected repair head passes fresh checks
+and review, provided the pause reason still matches and no rollback or gate
+waiver is needed. In that case, unpause and continue without asking the user to
+repeat authorization.
+
 When `deploybot follow --json` returns `thread_notifications`, send each supplied
 message to its native source thread. In Codex use `send_message_to_thread`;
 the source thread runs `deploybot thread acknowledge` with the matching

adapters/cursor/.cursor/mcp.json

@@ -4,7 +4,7 @@
       "command": "uvx",
       "args": [
         "--from",
-        "deploybot-merge-queue[mcp] @ git+https://github.com/Forward-Future/DeployBot.git@01c8c6e48c3a92155803cd4232b56b0c1d3363c2",
+        "deploybot-merge-queue[mcp] @ git+https://github.com/Forward-Future/DeployBot.git@992048a90e1db410b9197fe056c591d91c1b2019",
         "deploybot-mcp"
       ]
     }

adapters/cursor/.cursor/rules/deploybot.mdc

@@ -15,6 +15,14 @@ the stable Cursor thread ID, never prompts or transcripts. Refresh intent only
 after replacement-head review. Only the coordinator may react, integrate,
 drain, follow, pause, or resume repaired work.
 
+Immediately before asking the user to unpause or take repair action, call
+`pipeline_status` again and suppress the request if durable state is already
+running or the release advanced. The original deploy instruction authorizes the
+coordinator to unpause the matching failed release after its elected repair head
+passes fresh checks and review, unless recovery requires a rollback, gate
+waiver, or different authority. Use the exact failed main SHA and the refreshed
+unique `control_id` so a newer pause remains authoritative.
+
 After exact-main verification, deliver each returned `thread_notifications`
 message into its native source thread, then call
 `acknowledge_thread_deployment` with the matching `notification_id`. Leave a

docs/reference.md

@@ -1,7 +1,7 @@
 # DeployBot reference
 
 This reference describes the CLI, MCP server, policy file, and GitHub Action in
-DeployBot v0.2.12. GitHub labels and authenticated comments are the durable state;
+DeployBot v0.2.13. GitHub labels and authenticated comments are the durable state;
 the CLI and MCP tools are two interfaces to the same operations.
 
 ## CLI
@@ -58,7 +58,7 @@ has fresh evidence; the user does not need to repeat the instruction.
 | `deploybot integrate [--all]` | Scaffold a cumulative integration PR for overlap groups, or the whole frozen batch with `--all`. |
 | `deploybot follow [--timeout SECONDS] [--poll SECONDS] [--json]` | Follow the newest exact base-branch head through CI, deployment, and HTTP verification. Defaults: 1800-second timeout and 10-second poll. |
 | `deploybot pause --reason TEXT` | Pause merging after a delivery failure. |
-| `deploybot unpause` | Resume a pipeline after verified recovery. |
+| `deploybot unpause --sha SHA --control-id ID` | Conditionally resume the matching failed release after fresh status revalidation and verified repair; a running record can clear only that unique pause, so changed control or advanced main fails closed. The original deploy instruction remains sufficient unless rollback, bypass, or mismatched recovery expands authority. |
 | `deploybot claim-release-repair --provider CLIENT --thread-id ID [--thread-url URL] [--sha SHA]` | Atomically claim the owner-encoded deterministic repair branch for the current failed exact-main release. Other threads recover the same owner from the ref instead of creating duplicate repair PRs. |
 
 Only a configured coordinator should run these operations. `react

examples/github-workflow.yml

@@ -59,5 +59,5 @@ jobs:
         with:
           ref: ${{ github.event.repository.default_branch }}
           persist-credentials: false
-      # v0.2.12 implementation; keep the full commit for privileged workflows.
-      - uses: Forward-Future/DeployBot@01c8c6e48c3a92155803cd4232b56b0c1d3363c2
+      # v0.2.13 implementation; keep the full commit for privileged workflows.
+      - uses: Forward-Future/DeployBot@992048a90e1db410b9197fe056c591d91c1b2019

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "deploybot-merge-queue"
-version = "0.2.12"
+version = "0.2.13"
 description = "DeployBot: a provider-neutral GitHub merge queue for coding agents"
 readme = "README.md"
 license = "MIT"

skills/deploybot/SKILL.md

@@ -79,6 +79,21 @@ Use `diagnose`/`deploybot doctor` for setup drift and `delivery_metrics` for p50
 p95, and slow-stage evidence. A failed cumulative CI or deployment pauses the
 controller; only a designated coordinator may unpause after recovery.
 
+Immediately before telling the user that the pipeline is paused or asking them
+to `unpause`, re-read `pipeline_status` or run `deploybot status --json`. Treat
+that fresh durable state as authoritative. If the controller is already
+running or the release has advanced, do not repeat a stale action request;
+continue coordinating or report the current gate.
+
+The original `deploy` instruction already authorizes a designated coordinator
+to run `deploybot unpause --sha <failed-main-sha> --control-id <control-id>`
+for the matching failed release when the elected repair head has fresh
+required checks and review, the pause reason still names that release, and no
+rollback or gate waiver is involved. Revalidate status, unpause, then continue
+the merge and release without asking for another user message. Ask the user
+only when recovery is unresolved, ownership or SHA does not match, or the next
+step requires a rollback, bypass, or expanded authority.
+
 Before opening or editing an exact-main recovery PR, call
 `claim_release_repair` with the native provider and thread ID. Work only when it
 returns `owned`, using its deterministic branch. If it returns `claimed`, the

skills/manage-merge-queue/SKILL.md

@@ -56,3 +56,12 @@ new merges closed while an earlier exact-main release is unfinished. Record
 exact heads, review
 verdicts, merged commits, waiting items, repair packets, integration groups, and
 delivery timing.
+
+Immediately before asking the user to `unpause` or take another repair action,
+call `pipeline_status` again. Never show a stale pause prompt when durable state
+is already `running` or the release has advanced. The original `deploy`
+instruction authorizes the coordinator to unpause the matching failed release
+after the elected repair head passes fresh checks and review, provided the pause
+reason still matches and no rollback or gate waiver is needed. In that case,
+run `deploybot unpause --sha <failed-main-sha> --control-id <control-id>` and
+continue without asking the user to repeat authorization.

src/agent_merge_queue/__init__.py

@@ -1,3 +1,3 @@
 """DeployBot: a provider-neutral GitHub merge queue for coding agents."""
 
-__version__ = "0.2.12"
+__version__ = "0.2.13"