ORA

Observation

ORA-2026-0069

ID
ORA-2026-0069
Date
2026-04-24
Status
unknown
Maturity
M3
Source
docs/entries/observations/ORA-2026-0069_branch-merge-gap-work-ships-on-branches-never-reaches-main.md

fleet-ops

Observation

The heartwood repo has 86 remote branches and zero merge commits to main in its entire history. Main receives only occasional direct commits. Codex seats create codex/* branches per ticket, do substantial work (20-70 commits, 100+ files per branch), post DONE on the feed, and move on. Nobody merges the branch back to main. The work exists but is invisible to production and to other branches.

54 of 86 branches are 10+ commits ahead of main. The 5 largest:

BranchCommits ahead
codex/hwd-0348-client-send-test-mode72
codex/cmb-0192-photo-cascade-vision70
codex/flt-0093-beside-shell-writer41
codex/hwd-0184-project-shell-writer-restamp39
codex/hwd-0079-evidence-health-panel34

Structural cause

Three reinforcing factors:

1. DONE = code complete, not merged. The fleet's definition of DONE (feed post with FOLLOW-ONS) treats code-complete on a branch as the finish line. No doctrine requires merge as a completion criterion. The branch is the deliverable, not the merge.

2. Branch size makes merge scary. Because branches accumulate 20-70 commits without intermediate merges, they diverge so far from main that merging becomes a high-risk operation. This creates a vicious cycle: branches grow because nobody merges → nobody merges because branches are too big → branches grow further.

3. No merge owner. Codex seats own the code work. STRAT seats own sequencing. Neither role explicitly owns "merge this branch to main." The work falls between roles.

Consequences

1. Credential-gate near-miss (ORA-2026-0036 Instance 2). The photo digest send gate existed only on a branch. The Resend API key was live in production. If the branch had been merged wholesale, real emails would have been sent to homeowners with no consent gate. This near-miss happened specifically because the branch was 118 files / 23,624 lines — too big to merge safely, so it sat unmerged while the credential was already provisioned.

2. Dormant capability amplifier. Every unmerged branch is a dormant capability by definition — the code exists, passes tests, but is invisible to production. The 86-branch count means the heartwood repo has dozens of features that are "done" but not shipped.

3. Inter-branch conflict accumulation. Branches that diverge from main also diverge from each other. When two branches finally merge, conflicts compound. This makes the merge-avoidance cycle worse.

4. Vercel preview vs production gap. Vercel deploys preview URLs for branches, creating a false sense of "shipped" — the feature works on the preview URL but not on the production domain.

Recommended countermeasure

Immediate (FLT-0365)

Triage all 86 heartwood branches into three buckets:

  • MERGE NOW: Branch is safe, tested, and should be on main. Cherry-pick or merge.
  • MERGE WITH GATE: Branch has credential/send/destructive implications. Cherry-pick gate commits first (per ORA-2026-0036 atomicity rule), then merge.
  • ARCHIVE: Branch is stale, superseded, or experimental. Delete remote ref, note in feed.

Structural (doctrine amendment)

Extend ORA-2026-0029 (dying-well) with a merge criterion:

MERGE DISCIPLINE: A ticket is not DONE until its branch is either (a) merged to main, (b) cherry-picked onto main with the branch marked for later cleanup, or (c) explicitly marked merge: deferred — <reason> in the DONE post with a follow-on ticket for the merge. "Code complete on branch" is not DONE — it is IN_PROGRESS with a merge follow-on.

Preventive

  • Branch size limit soft signal: If a branch exceeds 20 commits ahead of main without an intermediate merge, the closing feed read should flag it. Not a hard gate — a visible signal.
  • Weekly merge sweep: One Codex seat runs git rev-list --count main..origin/codex/* weekly and files merge tickets for any branch >10 commits ahead.

Relationship to ORA-2026-0036

This observation is a structural enabler of dormant capabilities. ORA-2026-0036 documents features that ship without activation paths. This observation documents the mechanism by which that happens in the heartwood repo: work ships on branches that never reach main, so the feature is both "done" (code-complete, tested, DONE-posted) and dormant (not on main, not in production) simultaneously.

The credential sub-class near-miss (Instance 2) is a direct consequence: the credential was provisioned to production, but the gate that controls it lives on a branch that was too big to merge safely.

See also

  • ORA-2026-0036 — dormant capability (this observation explains a structural enabler)
  • ORA-2026-0029 — dying-well (DONE definition needs merge criterion)
  • FLT-0365 — fleet-wide merge hygiene sweep (filed from this observation)