Fix SonarCloud deploy gate resilience

[simple-agent-manager]

Summary

• Keep successful main CI runs from being canceled by newer pushes, while preserving cancellation for superseded PR commits, so every successful merge can trigger the production deploy workflow.
• Make the production deploy gate explicitly CI-only and document that the separate SonarCloud GitHub App check must not suppress deploys.
• Reduce SonarCloud new-code duplication by extracting shared AI model catalog helpers, and address the easy Reliability findings plus the false-positive Go lockfile issue with a narrow Sonar suppression.

Validation

• pnpm lint
• pnpm typecheck
• pnpm test
• Additional validation run: pnpm build, pnpm --filter @simple-agent-manager/shared typecheck, pnpm --filter @simple-agent-manager/shared test, pnpm --filter @simple-agent-manager/shared lint, git diff --check, YAML parse check for edited workflows; follow-up shared package typecheck/test after duplication cleanup

Staging Verification (REQUIRED for all code changes — merge-blocking)

• Staging deployment green — Deploy Staging workflow triggered manually and passed for this branch
• Live app verified via Playwright — staging workflow smoke-tests passed after deployment
• Existing workflows confirmed working — staging deploy, deploy health check, and smoke-tests passed
• New feature/fix verified on staging — verified the branch can deploy through the staging pipeline without SonarCloud being part of the deploy gate
• Infrastructure verification completed — staging deploy completed successfully; no VM/cloud-init/DNS/TLS/deploy script changes in this PR
• Mobile and desktop verification notes added for UI changes — N/A: no UI changes

Staging Verification Evidence

• Deploy Staging passed: https://github.com/raphaeltm/simple-agent-manager/actions/runs/26330886123
• Deploy job completed successfully, including Cloudflare deploy, DB migration/data-integrity checks, worker health check, VM agent build/upload, and job summary.
• Post-deploy smoke-tests job passed.
• No UI changes were made; no additional visual audit was required.

UI Compliance Checklist (Required for UI changes)

• Mobile-first layout verified — N/A: no UI changes
• Accessibility checks completed — N/A: no UI changes
• Shared UI components used or exception documented — N/A: no UI changes
• Playwright visual audit run locally — N/A: no UI changes

End-to-End Verification (Required for multi-component changes)

• Data flow traced from user input to final outcome with code path citations (see below)
• Capability test exercises the complete happy path across system boundaries
• All spec/doc assumptions about existing behavior verified against code
• If any gap exists between automated test coverage and full E2E, manual verification steps documented below

Data Flow Trace

• .github/workflows/ci.yml: CI still runs the same jobs, but cancel-in-progress now only applies to pull request events. This keeps every successful main CI run alive long enough to emit a successful workflow_run event.
• .github/workflows/deploy.yml: production deploy remains gated on github.event.workflow_run.conclusion == 'success' for the GitHub Actions CI workflow only. SonarCloud remains a separate GitHub App check and does not control this deploy gate.
• packages/shared/src/constants/ai-services.ts: model catalog entries now share provider/scope/unified-ID construction helpers, removing the top duplicated Sonar block without changing exported model metadata.
• sonar-project.properties: suppresses text:S8566 only for packages/cli/go.mod, which is a standard-library-only module where Go does not generate go.sum.

Untested Gaps

• SonarCloud Quality Gate passed on PR Fix SonarCloud deploy gate resilience #1104 after the follow-up duplication cleanup. Historical security hotspot triage remains intentionally out of scope per task instructions.

Post-Mortem (Required for bug fix PRs)

What broke

Automated production deploys could be skipped when a main CI run did not finish successfully. The project also had SonarCloud Quality Gate failures from duplication, reliability findings, and many historical security hotspots.

Root cause

The deploy workflow depends on the GitHub Actions CI workflow_run conclusion. Rapid main updates could cancel earlier CI runs, producing non-success conclusions that skipped deploys. Separately, SonarCloud reported quality failures as an independent GitHub App check.

Class of bug

Deployment orchestration coupling and quality-gate drift.

Why it wasn't caught

The deploy trigger behavior was not validated against rapid consecutive main pushes, and SonarCloud's quality report had accumulated unresolved false positives and duplicated catalog data.

Process fix included in this PR

• .github/workflows/ci.yml: preserves completed main CI runs for deploy triggering.
• .github/workflows/deploy.yml: documents the CI-only deploy gate and SonarCloud decoupling.
• sonar-project.properties: adds a narrow suppression for the standard-library-only Go module lockfile false positive.

Post-mortem file

N/A: existing context was captured in docs/notes/2026-05-19-cli-sonar-quality-gap-postmortem.md; this PR scopes the process fix to workflow/config changes.

Specialist Review Evidence (Required for agent-authored PRs)

• All dispatched reviewers completed and findings addressed before merge
• If any reviewer did NOT complete: needs-human-review label added and merge deferred to human — N/A: all manual specialist reviews completed; merge is still deferred to human per task request

Reviewer	Status	Outcome
task-completion-validator	PASS	Implementation and validation match task research; PR creation and staging completed after archive.
constitution-validator	PASS	No hardcoded runtime configuration introduced; model catalog metadata remains static registry data.
security-auditor	PASS	Sonar suppression is scoped to packages/cli/go.mod; no credential/auth surface changed.
test-engineer	PASS	Existing shared model catalog tests plus full suite cover the refactor; no new behavioral boundary added.

Exceptions (If any)

• Scope: Historical SonarCloud security hotspots were not fixed.
• Rationale: Task explicitly asked not to attempt all 203 hotspots; most are expected false positives. This PR focuses on deploy resilience, duplication, and easy reliability findings.
• Expiration: Revisit hotspot triage separately from deploy restoration.

Agent Preflight (Required)

• Preflight completed before code changes

Classification

• external-api-change
• cross-component-change
• business-logic-change
• public-surface-change
• docs-sync-change
• security-sensitive-change
• ui-change
• infra-change

External References

• GitHub Actions run/check history for main CI, production deploy, staging deploy, and SonarCloud Code Analysis.
• SonarCloud API for current quality gate conditions, duplication offenders, and reliability/security findings.

Codebase Impact Analysis

• .github/workflows/ci.yml: CI concurrency behavior for PR vs main runs.
• .github/workflows/deploy.yml: production deploy gating documentation.
• packages/shared/src/constants/ai-services.ts: AI model catalog construction.
• prototype-blurred-bg.html: duplicate CSS border declarations removed.
• sonar-project.properties: narrow false-positive suppression for packages/cli/go.mod.

Documentation & Specs

• Task archived under tasks/archive/2026-05-23-fix-sonarcloud-quality-gate.md.
• No user-facing docs changed; workflow comments document the deploy-gate behavior inline.

Constitution & Risk Check

Checked Principle XI / no hardcoded values via constitution-validator. Main tradeoff: main CI runs no longer cancel each other, increasing CI usage slightly while making production deploy triggers reliable. PR CI still cancels superseded commits.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud