fix(github): don't add commits to an already-open PR (#95)

* fix(github): short-circuit CreatePullRequest when an open PR covers the head branch

The GitHub engine's CreatePullRequest had a silent-commit footgun that
produced the "311 commits on one PR" incident observed on
zelyo-operator-fix/demo-app-payment-service PR #12.

Flow before the fix:
  1. getRef → base SHA
  2. createRef returns 422 "branch exists" — engine swallows and continues
  3. createOrUpdateFile for each file — COMMITS LAND ON THE EXISTING PR's
     BRANCH (this is the regression)
  4. openPR returns 422 "a pull request already exists" — error bubbles up
  5. Controller catches the error but the file commit already shipped
  6. Next reconcile: same branch, another commit pile

This was only partially mitigated by the controller-layer existingBranches
dedup shipped in #91 and #94. That mitigation misses when ListOpenPRs
fails, when pagination hits the safety cap, or when any other caller of
CreatePullRequest skips the upstream check. The engine itself needed to
be the last line of defense.

Fix: after createRef returns 422, query GitHub for any open PR whose head
branch is exactly pr.HeadBranch. If one exists, log and return it — no
commit, no duplicate openPR. If no open PR exists (legitimate case when a
user manually closed a PR but left the branch), proceed with commit +
openPR as before. If the dedup lookup ITSELF fails, fail closed —
remediation defers to the next cycle rather than risk polluting an open
PR with duplicate commits.

New tests:
  - SkipsWhenOpenPRExists: createRef=422 + open PR exists → asserts PUT
    /contents and POST /pulls are never called, existing PR is returned
  - BranchExistsWithoutOpenPR: createRef=422 + empty PR list → asserts
    commit + openPR both run (the legitimate orphan-branch case)
  - BranchExistsLookupFails: createRef=422 + PR list returns 500 → asserts
    error return, no commit, no openPR (fail-closed)

Uses GitHub's head=owner:ref query param to scope the lookup server-side
(only one open PR per head branch is possible, so no pagination needed),
with in-memory ref equality as a defense-in-depth filter against mocks
or proxies that ignore the query.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* address PR review: typed APIError, owner:branch dedup match, shared PR struct

Three reviewer asks on #95:

1. Codex P2 — findOpenPRByHeadBranch was filtering on head.ref alone,
   so a fork PR using the same branch name could false-match the dedup
   check when a proxy/mock ignores the server-side head= query. Switch
   to matching on head.label ("owner:ref"), which GitHub always sets
   to the canonical identifier.

2. Gemini medium — string-matching "422" in the error message was
   brittle. doRequest now returns a typed *APIError with StatusCode
   and Body; the createRef 422 check uses errors.As for a direct
   integer comparison against http.StatusUnprocessableEntity.

3. Gemini medium — the PR-response anonymous struct was duplicated
   between findOpenPRByHeadBranch and ListOpenPRs. Extract
   githubPullResponse at package scope and reuse.

Tests:
 - Existing SkipsWhenOpenPRExists mock now sets head.label so the
   engine's new equality check matches.
 - New DoesNotMatchForkPRWithSameRef: server (simulating a proxy that
   ignored head= query) returns a fork PR with head.label =
   "forkuser:<branch>" distinct from our owner. Asserts the engine
   proceeds with its own commit + openPR instead of false-matching.
 - New APIErrorTypedUnwrap: pins the typed-error contract. Covers
   both the direct-%w-wrap path callers use and the live doRequest
   path, so a future refactor that swallows the type breaks here.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: mayurkr

internal/github/engine.go

@@ -20,6 +20,7 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -32,6 +33,41 @@ import (
 	"github.com/zelyo-ai/zelyo-operator/internal/gitops"
 )
 
+// APIError is the typed error doRequest returns on any non-2xx response
+// from GitHub. Callers use errors.As to branch on HTTP status codes —
+// e.g. createRef's 422-on-branch-exists — rather than string-matching the
+// formatted message, which was the brittle pre-refactor pattern.
+type APIError struct {
+	StatusCode int
+	Body       string // Truncated response body for diagnostics.
+}
+
+func (e *APIError) Error() string {
+	return fmt.Sprintf("GitHub API error %d: %s", e.StatusCode, e.Body)
+}
+
+// githubPullResponse is the subset of GitHub's PR payload we decode. Shared
+// by CreatePullRequest, findOpenPRByHeadBranch, ListOpenPRs, and openPR so
+// the decoding shape is defined once.
+//
+// Head.Label is the canonical "owner:ref" identifier. Matching on Label is
+// how we tell a same-repo PR (head.label = repo_owner:branch) apart from a
+// fork PR that happens to use the same branch name (head.label =
+// fork_owner:branch). Filtering only on Head.Ref would let a fork PR
+// false-match the dedup check.
+type githubPullResponse struct {
+	Number  int    `json:"number"`
+	HTMLURL string `json:"html_url"`
+	Head    struct {
+		Ref   string `json:"ref"`
+		Label string `json:"label"`
+	} `json:"head"`
+	CreatedAt time.Time `json:"created_at"`
+	Labels    []struct {
+		Name string `json:"name"`
+	} `json:"labels"`
+}
+
 // GitHubEngine implements gitops.Engine using the GitHub REST API.
 // It supports GitHub App authentication and all CRUD operations needed
 // for the Zelyo Operator auto-remediation workflow.
@@ -69,12 +105,46 @@ func (e *GitHubEngine) CreatePullRequest(ctx context.Context, pr *gitops.PullReq
 	}
 
 	// Step 2: Create the head branch from the base.
+	//
+	// GitHub returns 422 when the branch already exists. Historically the
+	// engine swallowed that error and proceeded to Step 3 (commit files)
+	// and Step 4 (openPR). If a PR was already open against this branch,
+	// that flow produced the 311-commits-on-one-PR footgun: openPR would
+	// fail with 422 "already exists", but the file commits from Step 3 had
+	// already landed on the open PR's branch. Every subsequent reconcile
+	// piled another commit on the same PR.
+	//
+	// Fix: when the branch already exists, check whether it already backs
+	// an open PR BEFORE committing. If yes, short-circuit and return the
+	// existing PR — no new commits, no duplicate opens. If the branch
+	// exists without an open PR (legitimate when a user deletes a PR
+	// without deleting the branch), proceed with commit + openPR.
+	//
+	// If the dedup lookup itself fails, abort rather than risk silently
+	// appending commits to an open PR. Remediation for this branch will
+	// retry next reconcile — a temporary deferral is cheaper than
+	// permanent commit pollution on an already-open PR.
 	if err := e.createRef(ctx, pr.RepoOwner, pr.RepoName, "refs/heads/"+pr.HeadBranch, baseSHA); err != nil {
-		// Branch might already exist from a previous attempt — continue.
-		if !strings.Contains(err.Error(), "422") {
+		// 422 Unprocessable Entity → branch already exists. Any other
+		// status is a hard failure we can't recover from. errors.As on
+		// APIError replaces the earlier string-match on "422" — the
+		// message format is no longer part of the contract.
+		var apiErr *APIError
+		if !errors.As(err, &apiErr) || apiErr.StatusCode != http.StatusUnprocessableEntity {
 			return nil, fmt.Errorf("creating head branch: %w", err)
 		}
-		e.log.Info("Branch already exists, continuing", "branch", pr.HeadBranch)
+		existing, lookupErr := e.findOpenPRByHeadBranch(ctx, pr.RepoOwner, pr.RepoName, pr.HeadBranch)
+		if lookupErr != nil {
+			return nil, fmt.Errorf("head branch %q already exists but could not verify absence of open PR: %w",
+				pr.HeadBranch, lookupErr)
+		}
+		if existing != nil {
+			e.log.Info("Skipping commit: an open PR already covers this head branch",
+				"number", existing.Number, "branch", pr.HeadBranch, "url", existing.URL)
+			return existing, nil
+		}
+		e.log.Info("Branch already exists without an open PR — proceeding",
+			"branch", pr.HeadBranch)
 	}
 
 	// Step 3: Commit each file to the head branch.
@@ -147,6 +217,52 @@ func (e *GitHubEngine) GetFile(ctx context.Context, owner, repo, path, ref strin
 	return decoded[:n], nil
 }
 
+// findOpenPRByHeadBranch queries GitHub for any open PR whose head branch
+// is exactly `branch` in the same repo (no cross-fork lookup). Returns
+// (nil, nil) when no matching PR exists, the PR when one does, or an error
+// when the API call failed.
+//
+// GitHub rejects a second open PR against an already-in-use head branch,
+// so the result set is size 0 or 1 — no pagination. The `head=owner:ref`
+// query narrows server-side; we additionally filter in-memory on the full
+// "owner:ref" label so a mock or proxy that ignores the query parameter
+// cannot return a spurious match from a fork PR that happens to use the
+// same branch name (head.ref alone would false-match — a real concern for
+// any heavily-forked repo).
+//
+// Used by CreatePullRequest to short-circuit when the target head branch
+// already backs an open PR; see the comment there for the 311-commits
+// footgun this guards against.
+func (e *GitHubEngine) findOpenPRByHeadBranch(ctx context.Context, owner, repo, branch string) (*gitops.PullRequestResult, error) {
+	wantLabel := owner + ":" + branch
+	reqURL := fmt.Sprintf("%s/repos/%s/%s/pulls?state=open&head=%s",
+		e.baseURL, owner, repo, url.QueryEscape(wantLabel))
+
+	body, err := e.doRequest(ctx, http.MethodGet, reqURL, nil)
+	if err != nil {
+		return nil, fmt.Errorf("looking up open PR for branch %q: %w", branch, err)
+	}
+
+	var prs []githubPullResponse
+	if err := json.Unmarshal(body, &prs); err != nil {
+		return nil, fmt.Errorf("decoding PR lookup response: %w", err)
+	}
+	for _, pr := range prs {
+		// Require an exact owner:ref match. GitHub always populates
+		// head.label as "owner_login:ref_name"; a fork PR with the same
+		// ref name has a different label and is correctly rejected here.
+		if pr.Head.Label == wantLabel {
+			return &gitops.PullRequestResult{
+				Number:    pr.Number,
+				URL:       pr.HTMLURL,
+				Branch:    pr.Head.Ref,
+				CreatedAt: pr.CreatedAt,
+			}, nil
+		}
+	}
+	return nil, nil
+}
+
 // ListOpenPRs implements gitops.Engine.ListOpenPRs by paginating over
 // GitHub's list-PRs endpoint. A single page is 100 PRs (the endpoint's max);
 // we keep requesting successive pages until a page comes back short or we
@@ -165,17 +281,7 @@ func (e *GitHubEngine) ListOpenPRs(ctx context.Context, owner, repo string) ([]g
 			return nil, fmt.Errorf("listing open PRs (page %d): %w", page, err)
 		}
 
-		var prs []struct {
-			Number  int    `json:"number"`
-			HTMLURL string `json:"html_url"`
-			Head    struct {
-				Ref string `json:"ref"`
-			} `json:"head"`
-			CreatedAt time.Time `json:"created_at"`
-			Labels    []struct {
-				Name string `json:"name"`
-			} `json:"labels"`
-		}
+		var prs []githubPullResponse
 		if err := json.Unmarshal(body, &prs); err != nil {
 			return nil, fmt.Errorf("decoding PRs response (page %d): %w", page, err)
 		}
@@ -382,7 +488,10 @@ func (e *GitHubEngine) doRequest(ctx context.Context, method, reqURL string, pay
 	}
 
 	if resp.StatusCode >= 400 {
-		return nil, fmt.Errorf("GitHub API error %d: %s", resp.StatusCode, truncate(string(body), 200))
+		return nil, &APIError{
+			StatusCode: resp.StatusCode,
+			Body:       truncate(string(body), 200),
+		}
 	}
 
 	return body, nil