From 890b99dbfdccfcb911a5047b23bcaf417381ac0b Mon Sep 17 00:00:00 2001
From: L <6723574+louisgv@users.noreply.github.com>
Date: Fri, 13 Feb 2026 05:34:09 -0800
Subject: [PATCH] feat: Add pre-cycle stale branch cleanup to security.sh
 (#930)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* refactor: Simplify security workflow to match discovery/refactor pattern

Move mode-detection logic from the GitHub Actions workflow into
security.sh where it belongs. The workflow now passes github.event_name
directly as the reason parameter (like discovery.yml and refactor.yml),
and security.sh uses `gh issue view` to check labels when reason=issues.

- Remove 25-line if/elif/else reason-mapping block from security.yml
- Remove workflow_dispatch mode input (server-side handles it)
- Add `if:` label guard for issues (safe-to-work + team-building/security)
- Add `labeled` to issue trigger types
- Set cancel-in-progress: false (prevents killing long review_all runs)
- Bump cron to */5
- Handle schedule/workflow_dispatch → review_all in security.sh
- Keep backwards compat for direct team_building/triage reasons

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: Add pre-cycle stale branch cleanup to security.sh

Clean up merged and stale security-related branches (team-building/*,
review-pr-*) and leftover worktrees before each cycle starts. Follows
the same pattern as qa-cycle.sh.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: Add pre-cycle stale branch cleanup to discovery.sh and refactor.sh

Each agent script now cleans up its own merged branches before starting:
- discovery.sh: add-*, impl-*, gap-filler-* branches
- refactor.sh: fix/*, refactor/*, test/*, ux/* branches
- (security.sh already added in prior commit)
- (qa-cycle.sh already had this)

Replaces the "branch pruning handled by security team" comments with
actual cleanup, following the qa-cycle.sh pattern.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Security Reviewer <security-reviewer@spawn.dev>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .claude/skills/setup-agent-team/discovery.sh | 23 ++++++++++++++--
 .claude/skills/setup-agent-team/refactor.sh  | 20 ++++++++++++--
 .claude/skills/setup-agent-team/security.sh  | 29 ++++++++++++++++++--
 3 files changed, 65 insertions(+), 7 deletions(-)

diff --git a/.claude/skills/setup-agent-team/discovery.sh b/.claude/skills/setup-agent-team/discovery.sh
index adede4f6..7384705d 100755
--- a/.claude/skills/setup-agent-team/discovery.sh
+++ b/.claude/skills/setup-agent-team/discovery.sh
@@ -517,15 +517,32 @@ run_team_cycle() {
     git fetch --prune origin 2>/dev/null || true
     git pull --rebase origin main 2>/dev/null || true
 
-    # --- Pre-cycle cleanup: stale worktrees ---
-    log_info "Pre-cycle cleanup: stale worktrees..."
+    # --- Pre-cycle cleanup: stale worktrees and branches ---
+    log_info "Pre-cycle cleanup..."
     git worktree prune 2>/dev/null || true
     if [[ -d "${WORKTREE_BASE}" ]]; then
         rm -rf "${WORKTREE_BASE}" 2>/dev/null || true
         log_info "Removed stale ${WORKTREE_BASE} directory"
     fi
 
-    # Note: branch pruning and PR management is handled by the security team
+    # Delete merged discovery-related remote branches
+    # Discovery agents create branches like: add-*, impl-*, gap-filler-*, {cloud}-{agent}
+    MERGED_BRANCHES=$(git branch -r --merged origin/main | grep -v 'origin/main\|origin/HEAD' | grep -E 'origin/(add-|impl-|gap-filler-)' | sed 's|origin/||' | tr -d ' ') || true
+    for branch in $MERGED_BRANCHES; do
+        if [[ -n "$branch" ]]; then
+            git push origin --delete "$branch" 2>&1 && log_info "Deleted merged branch: $branch" || true
+        fi
+    done
+
+    # Delete stale local discovery-related branches
+    LOCAL_BRANCHES=$(git branch --list 'add-*' --list 'impl-*' --list 'gap-filler-*' | tr -d ' *') || true
+    for branch in $LOCAL_BRANCHES; do
+        if [[ -n "$branch" ]]; then
+            git branch -D "$branch" 2>/dev/null || true
+        fi
+    done
+
+    log_info "Pre-cycle cleanup done."
 
     # Set up worktree directory for parallel agent work
     mkdir -p "${WORKTREE_BASE}"
diff --git a/.claude/skills/setup-agent-team/refactor.sh b/.claude/skills/setup-agent-team/refactor.sh
index 75d7324a..758d42df 100755
--- a/.claude/skills/setup-agent-team/refactor.sh
+++ b/.claude/skills/setup-agent-team/refactor.sh
@@ -86,14 +86,30 @@ if [[ "${RUN_MODE}" == "refactor" ]]; then
     # Reset main checkout to origin/main
     git reset --hard origin/main 2>&1 | tee -a "${LOG_FILE}" || true
 
-    log "Pre-cycle cleanup: stale worktrees..."
+    log "Pre-cycle cleanup: stale worktrees and branches..."
     git worktree prune 2>&1 | tee -a "${LOG_FILE}" || true
     if [[ -d "${WORKTREE_BASE}" ]]; then
         rm -rf "${WORKTREE_BASE}" 2>&1 | tee -a "${LOG_FILE}" || true
         log "Removed stale ${WORKTREE_BASE} directory"
     fi
 
-    # Note: branch pruning and PR management is handled by the security team
+    # Delete merged refactor-related remote branches (fix/*, refactor/*, test/*, ux/*)
+    MERGED_BRANCHES=$(git branch -r --merged origin/main | grep -v 'origin/main\|origin/HEAD' | grep -E 'origin/(fix/|refactor/|test/|ux/)' | sed 's|origin/||' | tr -d ' ') || true
+    for branch in $MERGED_BRANCHES; do
+        if [[ -n "$branch" ]]; then
+            git push origin --delete "$branch" 2>&1 | tee -a "${LOG_FILE}" && log "Deleted merged branch: $branch" || true
+        fi
+    done
+
+    # Delete stale local refactor-related branches
+    LOCAL_BRANCHES=$(git branch --list 'fix/*' --list 'refactor/*' --list 'test/*' --list 'ux/*' | tr -d ' *') || true
+    for branch in $LOCAL_BRANCHES; do
+        if [[ -n "$branch" ]]; then
+            git branch -D "$branch" 2>&1 | tee -a "${LOG_FILE}" || true
+        fi
+    done
+
+    log "Pre-cycle cleanup done."
 fi
 
 # Launch Claude Code with mode-specific prompt
diff --git a/.claude/skills/setup-agent-team/security.sh b/.claude/skills/setup-agent-team/security.sh
index 7655b5dc..4675d53f 100644
--- a/.claude/skills/setup-agent-team/security.sh
+++ b/.claude/skills/setup-agent-team/security.sh
@@ -115,10 +115,35 @@ if [[ "${RUN_MODE}" == "team_building" ]] || [[ "${RUN_MODE}" == "triage" ]]; th
     log "Issue: #${ISSUE_NUM}"
 fi
 
-# Fetch latest refs (read-only, safe for concurrent runs)
-log "Fetching latest refs..."
+# Pre-cycle cleanup (stale branches, worktrees from prior runs)
+log "Pre-cycle cleanup..."
 git fetch --prune origin 2>&1 | tee -a "${LOG_FILE}" || true
 
+# Clean stale worktrees
+git worktree prune 2>&1 | tee -a "${LOG_FILE}" || true
+if [[ -d "${WORKTREE_BASE}" ]]; then
+    rm -rf "${WORKTREE_BASE}" 2>&1 | tee -a "${LOG_FILE}" || true
+    log "Removed stale ${WORKTREE_BASE} directory"
+fi
+
+# Delete merged security-related remote branches (team-building/*, review-pr-*)
+MERGED_BRANCHES=$(git branch -r --merged origin/main | grep -E 'origin/(team-building/|review-pr-)' | sed 's|origin/||' | tr -d ' ') || true
+for branch in $MERGED_BRANCHES; do
+    if [[ -n "$branch" ]]; then
+        git push origin --delete "$branch" 2>&1 | tee -a "${LOG_FILE}" && log "Deleted merged branch: $branch" || true
+    fi
+done
+
+# Delete stale local security-related branches
+LOCAL_BRANCHES=$(git branch --list 'team-building/*' --list 'review-pr-*' | tr -d ' *') || true
+for branch in $LOCAL_BRANCHES; do
+    if [[ -n "$branch" ]]; then
+        git branch -D "$branch" 2>&1 | tee -a "${LOG_FILE}" || true
+    fi
+done
+
+log "Pre-cycle cleanup done."
+
 # Launch Claude Code with mode-specific prompt
 log "Launching ${RUN_MODE} cycle..."