fix(pr-ci-wait): CI-history primary tier — close webhook-lag false-green (#550)

F-06 follow-up per Mos ruling. The no-CI fast-exit was a pure empty-poll streak
(NO_CI_MAX×interval ≈ 45s), so a slow-to-register pipeline (webhook/queue lag)
looked like 'no CI' and could false-green a merge gate before the pipeline existed.

Two-tier no-CI determination:
- PRIMARY: probe the repo's DEFAULT BRANCH commit status once at startup. If it
  has CI history, the repo runs CI → an empty status on the PR head means the
  pipeline has not REGISTERED yet → never fast-green; poll until it registers or
  timeout (both safe). Closes the webhook-lag false-green.
- SECONDARY: the empty-poll streak fast-exit now applies ONLY to genuinely CI-less
  repos (default branch also has no CI history). Preserves the original no-CI win.
- Probe failure → conservative REPO_HAS_CI=1 (assume CI; wait-then-timeout beats
  false-green). All early returns are explicit 'return 0' + guarded call so the
  probe can never abort under set -e.

Verified: bash -n + shellcheck clean; behavioral harness covers established-repo
(stays 1), CI-less (→0), empty-branch/probe-fail (conservative 1), and the
no-status gate (has-CI never fast-greens, CI-less fast-exits).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Kt2D8TsnDwhtzEAPijsNmR

packages/mosaic/framework/tools/_lib/credentials.sh

@@ -16,7 +16,12 @@
 # After loading, service-specific env vars are exported.
 # Run `load_credentials --help` for details.
 
-MOSAIC_CREDENTIALS_FILE="${MOSAIC_CREDENTIALS_FILE:-$HOME/src/jarvis-brain/credentials.json}"
+if [[ -z "${MOSAIC_CREDENTIALS_FILE:-}" ]]; then
+  for _cand in "$HOME/.config/mosaic/credentials.json" "$HOME/src/jarvis-brain/credentials.json"; do
+    if [[ -f "$_cand" ]]; then MOSAIC_CREDENTIALS_FILE="$_cand"; break; fi
+  done
+  : "${MOSAIC_CREDENTIALS_FILE:=$HOME/src/jarvis-brain/credentials.json}"
+fi
 
 _mosaic_require_jq() {
   if ! command -v jq &>/dev/null; then
@@ -34,6 +39,19 @@ _mosaic_read_cred() {
   jq -r "$jq_path // empty" "$MOSAIC_CREDENTIALS_FILE"
 }
 
+# Decide curl TLS flag for a target URL: validate public hosts (MITM matters on
+# WAN); allow self-signed only for private-network IP literals (trusted LAN) or an
+# explicit $MOSAIC_INSECURE_TLS opt-in. Echoes "-k" or "" (empty).
+_mosaic_tls_opt() {
+  local url="$1" host
+  [[ -n "${MOSAIC_INSECURE_TLS:-}" ]] && { echo "-k"; return; }
+  host=$(printf '%s' "$url" | sed -E 's#^[a-zA-Z]+://([^/:]+).*#\1#')
+  if [[ "$host" =~ ^(10\.|127\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[01])\.) ]]; then
+    echo "-k"; return
+  fi
+  echo ""
+}
+
 # Sync Woodpecker credentials to ~/.woodpecker/<instance>.env
 # Only writes when values differ to avoid unnecessary disk writes.
 _mosaic_sync_woodpecker_env() {
@@ -261,7 +279,8 @@ mosaic_http() {
   local base_url="${4:-}"
 
   local response
-  response=$(curl -sk -w "\n%{http_code}" -X "$method" \
+  local _tls; _tls=$(_mosaic_tls_opt "${base_url}${endpoint}")
+  response=$(curl -sS $_tls -w "\n%{http_code}" -X "$method" \
     -H "$auth_header" \
     -H "Content-Type: application/json" \
     "${base_url}${endpoint}")
@@ -279,7 +298,8 @@ mosaic_http_post() {
   local base_url="${4:-}"
 
   local response
-  response=$(curl -sk -w "\n%{http_code}" -X POST \
+  local _tls; _tls=$(_mosaic_tls_opt "${base_url}${endpoint}")
+  response=$(curl -sS $_tls -w "\n%{http_code}" -X POST \
     -H "$auth_header" \
     -H "Content-Type: application/json" \
     -d "$data" \
@@ -297,7 +317,8 @@ mosaic_http_patch() {
   local base_url="${4:-}"
 
   local response
-  response=$(curl -sk -w "\n%{http_code}" -X PATCH \
+  local _tls; _tls=$(_mosaic_tls_opt "${base_url}${endpoint}")
+  response=$(curl -sS $_tls -w "\n%{http_code}" -X PATCH \
     -H "$auth_header" \
     -H "Content-Type: application/json" \
     -d "$data" \

packages/mosaic/framework/tools/git/pr-ci-wait.sh

@@ -72,6 +72,11 @@ elif values and all(v == "success" for v in values):
     print("success")
 elif any(v in {"pending", "running", "queued", "waiting"} for v in values):
     print("pending")
+elif not values and not state:
+    # No pipeline/status of any kind reported for this commit. Distinct from
+    # "unknown" (an ambiguous/unrecognized status that should keep polling):
+    # this signals a repo/commit that simply has no CI configured.
+    print("no-status")
 else:
     print("unknown")
 PY
@@ -142,6 +147,21 @@ gitea_get_commit_status_json() {
     curl -fsSL -H "User-Agent: curl/8" -H "Authorization: token ${token}" "$url"
 }
 
+gitea_get_default_branch() {
+    local host="$1"
+    local repo="$2"
+    local token="$3"
+    local url="https://${host}/api/v1/repos/${repo}"
+    curl -fsSL -H "User-Agent: curl/8" -H "Authorization: token ${token}" "$url" | python3 -c '
+import json, sys
+print((json.load(sys.stdin) or {}).get("default_branch", ""))
+'
+}
+
+github_get_default_branch() {
+    gh api "repos/${OWNER}/${REPO}" --jq '.default_branch'
+}
+
 while [[ $# -gt 0 ]]; do
     case "$1" in
         -n|--number)
@@ -245,6 +265,51 @@ else
     exit 1
 fi
 
+# No-CI determination is TWO-TIER (primary: CI history; secondary: empty-poll streak).
+#
+# PRIMARY — "does this repo run CI at all?" Probed once, up front, from the DEFAULT
+# BRANCH's commit status. A repo whose default branch carries CI statuses
+# demonstrably runs CI, so an EMPTY status on the PR head means the pipeline simply
+# has not registered YET (webhook/queue lag) — NOT that the repo is CI-less. In that
+# case we must NEVER fast-green; we keep polling until the pipeline registers or the
+# timeout fires (both safe). This closes the webhook-lag false-green: a slow-to-
+# register pipeline feeding a merge gate can no longer be mistaken for "no CI".
+#
+# SECONDARY — the empty-poll streak below applies ONLY to genuinely CI-less repos
+# (default branch also has no CI history, e.g. device-imaging class), where burning
+# the full timeout would be pure waste. There, NO_CI_MAX empty polls => fast-exit 0.
+#
+# Probe failure is treated conservatively as REPO_HAS_CI=1 (assume CI present): we
+# would rather wait-then-timeout than risk a false-green, per the merge-gate priority.
+REPO_HAS_CI=1
+detect_repo_ci() {
+    local def_branch def_status
+    # Every early exit returns 0: a probe miss must leave the conservative
+    # REPO_HAS_CI=1 default in place, never abort the caller under `set -e`.
+    if [[ "$PLATFORM" == "github" ]]; then
+        def_branch=$(github_get_default_branch 2>/dev/null) || {
+            echo "[pr-ci-wait] WARN: default-branch probe failed; assuming CI-enabled (will not fast-green on empty status)."; return 0; }
+        [[ -n "$def_branch" ]] || return 0
+        def_status=$(github_get_commit_status_json "$OWNER" "$REPO" "$def_branch" 2>/dev/null | extract_state_from_status_json) || return 0
+    else
+        def_branch=$(gitea_get_default_branch "$HOST" "$OWNER/$REPO" "$TOKEN" 2>/dev/null) || {
+            echo "[pr-ci-wait] WARN: default-branch probe failed; assuming CI-enabled (will not fast-green on empty status)."; return 0; }
+        [[ -n "$def_branch" ]] || return 0
+        def_status=$(gitea_get_commit_status_json "$HOST" "$OWNER/$REPO" "$TOKEN" "$def_branch" 2>/dev/null | extract_state_from_status_json) || return 0
+    fi
+    if [[ "$def_status" == "no-status" || -z "$def_status" ]]; then
+        REPO_HAS_CI=0
+        echo "[pr-ci-wait] default branch '${def_branch}' has no CI status history — treating repo as CI-less (empty-poll fast-exit enabled)."
+    else
+        REPO_HAS_CI=1
+        echo "[pr-ci-wait] default branch '${def_branch}' has CI history (state=${def_status}) — repo runs CI; empty status on PR head => awaiting registration, will not fast-green."
+    fi
+}
+detect_repo_ci || true
+
+NO_CI_STREAK=0
+NO_CI_MAX=3
+
 while true; do
     NOW_TS=$(date +%s)
     if (( NOW_TS > DEADLINE_TS )); then
@@ -272,11 +337,35 @@ while true; do
             echo "Error: CI reported ${STATE} for PR #$PR_NUMBER." >&2
             exit 1
             ;;
+        no-status)
+            if [[ "$REPO_HAS_CI" == "1" ]]; then
+                # PRIMARY tier: repo demonstrably runs CI but this commit's pipeline
+                # has not registered yet (webhook/queue lag). Do NOT fast-green — keep
+                # polling until it registers or the timeout fires. Reset the streak so
+                # a later genuine CI-less misread can't accumulate across this state.
+                NO_CI_STREAK=0
+                echo "[pr-ci-wait] empty status on PR head but repo runs CI — awaiting pipeline registration (webhook lag), not fast-greening."
+            else
+                # SECONDARY tier: genuinely CI-less repo (default branch has no CI
+                # history either). Empty polls => fast-exit green after NO_CI_MAX.
+                NO_CI_STREAK=$((NO_CI_STREAK + 1))
+                if (( NO_CI_STREAK >= NO_CI_MAX )); then
+                    echo "[INFO] no CI configured for this repo/commit (PR #$PR_NUMBER, ${NO_CI_STREAK} consecutive empty polls, default branch also CI-less); treating as green."
+                    exit 0
+                fi
+            fi
+            sleep "$INTERVAL_SEC"
+            ;;
         pending|unknown)
+            # A pipeline exists but hasn't reached a terminal state (or is
+            # transiently ambiguous) — keep waiting, and reset the no-CI streak
+            # since this commit is not in the "no CI at all" condition.
+            NO_CI_STREAK=0
             sleep "$INTERVAL_SEC"
             ;;
         *)
             echo "[pr-ci-wait] Unrecognized state '${STATE}', continuing to poll..."
+            NO_CI_STREAK=0
             sleep "$INTERVAL_SEC"
             ;;
     esac

packages/mosaic/framework/tools/tmux/agent-send.sh

@@ -12,10 +12,6 @@
 #   ambiguity about lanes or origin. Recipients replying should FLIP the
 #   preamble: [<dst> -> <src>] ... (this tool sends; it does not auto-reply).
 #
-#   Optionally tags the message with a TRIAGE CLASS (see -C / --class) so a
-#   comms daemon can route it (deliver-to-agent vs log-and-drop) from an exact
-#   field instead of re-deriving intent from the body.
-#
 # WHY A WRAPPER
 #   Reliable submission into an interactive REPL (Claude Code / Codex) is fiddly:
 #   a trailing Enter is often swallowed and the message sits as an unsubmitted
@@ -30,7 +26,6 @@
 #   agent-send.sh -s <dst_session> -m "message"                 # local target
 #   agent-send.sh -H user@host -s <dst_session> -m "message"    # remote target
 #   agent-send.sh -H user@host -n <dst_hostname> -s <sess> -f msg.txt
-#   agent-send.sh -s mos-claude --class terminal-log -m "ACK — received"
 #   echo "msg" | agent-send.sh -H user@host -s <dst_session>
 #
 # OPTIONS
@@ -40,60 +35,26 @@
 #                   Default: local hostname, or (remote) resolved via one ssh.
 #   -m MESSAGE      message text (single- or multi-line)
 #   -f FILE         read message from FILE instead of -m
-#   -C CLASS        triage class for a comms daemon. One of:
-#                     terminal-log  log-only; never needs the agent's attention
-#                     actionable    carries a decision/blocker/gate — deliver
-#                     human         from a human operator — deliver
-#                     reaction      an emoji/ack reaction
-#                   Long form: --class CLASS (or --class=CLASS). When SET, the
-#                   preamble carries a ` class=<CLASS>` token INSIDE the bracket:
-#                       [<src> -> <dst> class=terminal-log] <message>
-#                   When OMITTED, NO token is emitted and the preamble is
-#                   byte-for-byte identical to the classic format. Consumers MUST
-#                   treat an absent class as 'actionable' (fail-safe: agent sees it).
 #   -S SRC_LABEL    override source label "<host>:<session>" (default: auto)
 #   -r N            Enter-flush attempts passed through (default 2)
 #   -v              verbose: print pane tail after delivery
 #   -h              help
 #
-# PREAMBLE GRAMMAR  (for consumers / daemons mirroring this producer)
-#   ^\[(\S+) -> (\S+?)(?: class=(terminal-log|actionable|human|reaction))?\] (.*)$
-#     group 1 = src label   group 2 = dst host:session
-#     group 3 = class (absent => actionable)   group 4 = message body
-#
 # EXIT CODES  (passed through from send-message.sh)
 #   0 delivered/queued · 1 target not found · 2 still draft · 3 usage error
 set -uo pipefail
 
 SELF_DIR=$(cd -- "$(dirname -- "$0")" && pwd)
-# Sender is overridable via env purely for testing (inject a capture stub). The
+SENDER="$SELF_DIR/send-message.sh"
-# default is the canonical send-message.sh beside this script; production callers
-# never set AGENT_SEND_SENDER, so behavior is unchanged.
-SENDER="${AGENT_SEND_SENDER:-$SELF_DIR/send-message.sh}"
-
-# Translate the long option --class[=value] into "-C value" so getopts (which is
-# short-option-only) can parse it. Every other argument passes through untouched,
-# so callers that never use --class hit the exact original getopts path.
-args=()
-while [ $# -gt 0 ]; do
-  case "$1" in
-    --class)   [ $# -ge 2 ] || { echo "ERROR: --class requires a value" >&2; exit 3; }
-               args+=(-C "$2"); shift 2 ;;
-    --class=*) args+=(-C "${1#*=}"); shift ;;
-    *)         args+=("$1"); shift ;;
-  esac
-done
-set -- ${args[@]+"${args[@]}"}
 
 DST_SESSION=""; SSH_TARGET=""; DST_HOST=""; MSG=""; FILE=""
-SRC_LABEL=""; RETRIES=2; VERBOSE=0; CLASS=""
+SRC_LABEL=""; RETRIES=2; VERBOSE=0
-usage() { sed -n '2,/^set -uo pipefail/{/^set -uo pipefail/d;p}' "$0"; exit "${1:-3}"; }
+usage() { sed -n '2,44p' "$0"; exit "${1:-3}"; }
 
-while getopts "s:H:n:m:f:S:r:C:vh" o; do
+while getopts "s:H:n:m:f:S:r:vh" o; do
   case "$o" in
     s) DST_SESSION=$OPTARG ;; H) SSH_TARGET=$OPTARG ;; n) DST_HOST=$OPTARG ;;
     m) MSG=$OPTARG ;; f) FILE=$OPTARG ;; S) SRC_LABEL=$OPTARG ;;
-    C) CLASS=$OPTARG ;;
     r) RETRIES=$OPTARG ;; v) VERBOSE=1 ;; h) usage 0 ;; *) usage 3 ;;
   esac
 done
@@ -101,17 +62,6 @@ done
 [ -n "$DST_SESSION" ] || { echo "ERROR: -s DST_SESSION is required" >&2; usage 3; }
 [ -x "$SENDER" ] || { echo "ERROR: send-message.sh not found beside this script" >&2; exit 3; }
 
-# Validate the triage class only when one was given. An absent class emits NO
-# token (preamble byte-identical to the classic format); the consumer defaults
-# absent => actionable.
-CLASS_TOKEN=""
-if [ -n "$CLASS" ]; then
-  case "$CLASS" in
-    terminal-log|actionable|human|reaction) CLASS_TOKEN=" class=${CLASS}" ;;
-    *) echo "ERROR: invalid --class '$CLASS' (allowed: terminal-log, actionable, human, reaction)" >&2; exit 3 ;;
-  esac
-fi
-
 # Message body from -f / -m / stdin.
 if   [ -n "$FILE" ]; then [ -r "$FILE" ] || { echo "ERROR: cannot read $FILE" >&2; exit 3; }; MSG=$(cat -- "$FILE")
 elif [ -z "$MSG" ] && [ ! -t 0 ]; then MSG=$(cat)
@@ -134,7 +84,7 @@ if [ -z "$DST_HOST" ]; then
   fi
 fi
 
-PREAMBLE="[${SRC_LABEL} -> ${DST_HOST}:${DST_SESSION}${CLASS_TOKEN}]"
+PREAMBLE="[${SRC_LABEL} -> ${DST_HOST}:${DST_SESSION}]"
 FULL="${PREAMBLE} ${MSG}"
 B64=$(printf '%s' "$FULL" | base64 -w0)
 

packages/mosaic/framework/tools/tmux/agent-send.test.sh

@@ -1,97 +0,0 @@
-#!/usr/bin/env bash
-# agent-send.test.sh — regression + grammar lock for agent-send.sh --class.
-#
-# Strategy: inject a capture stub via AGENT_SEND_SENDER that decodes the -b
-# base64 payload and prints the FULL message (preamble + body) so we can assert
-# the exact bytes on the wire. Local path only (no ssh), -n pins the dst host so
-# the preamble is deterministic across machines.
-#
-# Guarantees locked here:
-#   1. REGRESSION BAR — no --class => preamble byte-for-byte identical to classic.
-#   2. --class <c> => ` class=<c>` token emitted inside the bracket.
-#   3. --class=<c> (equals form) parses identically to the space form.
-#   4. -C <c> short form parses identically.
-#   5. invalid class => exit 3, nothing sent.
-#   6. --class with no value => exit 3.
-#   7. the documented consumer regex parses producer output for every class.
-set -uo pipefail
-
-HERE=$(cd -- "$(dirname -- "$0")" && pwd)
-TOOL="$HERE/agent-send.sh"
-
-# Capture stub: stands in for send-message.sh. Decodes -b and prints the payload.
-STUB=$(mktemp)
-trap 'rm -f "$STUB"' EXIT
-cat >"$STUB" <<'STUB_EOF'
-#!/usr/bin/env bash
-set -uo pipefail
-b64=""
-while getopts "t:b:r:v" o; do case "$o" in b) b64=$OPTARG ;; *) : ;; esac; done
-printf '%s' "$b64" | base64 -d
-STUB_EOF
-chmod +x "$STUB"
-
-PASS=0; FAIL=0
-ok()   { PASS=$((PASS+1)); printf 'ok   %s\n' "$1"; }
-no()   { FAIL=$((FAIL+1)); printf 'FAIL %s\n   %s\n' "$1" "$2"; }
-
-# Run the tool with the stub injected; echoes captured payload on stdout.
-run() { AGENT_SEND_SENDER="$STUB" bash "$TOOL" -S a:src -n dsthost "$@"; }
-
-# Documented consumer grammar — the daemon will mirror exactly this.
-GRAMMAR='^\[(\S+) -> (\S+) class=(terminal-log|actionable|human|reaction)\] (.*)$'
-GRAMMAR_NOCLASS='^\[(\S+) -> (\S+)\] (.*)$'
-
-# 1. REGRESSION BAR: classic preamble, byte-for-byte.
-got=$(run -s mos -m "hello world")
-want='[a:src -> dsthost:mos] hello world'
-[ "$got" = "$want" ] && ok "regression: no --class is byte-identical" \
-  || no "regression: no --class is byte-identical" "got=[$got] want=[$want]"
-
-# 2. --class space form emits the token.
-got=$(run -s mos --class terminal-log -m "ACK")
-want='[a:src -> dsthost:mos class=terminal-log] ACK'
-[ "$got" = "$want" ] && ok "--class terminal-log emits token" \
-  || no "--class terminal-log emits token" "got=[$got] want=[$want]"
-
-# 3. --class=value equals form.
-got=$(run -s mos --class=actionable -m "decide X")
-want='[a:src -> dsthost:mos class=actionable] decide X'
-[ "$got" = "$want" ] && ok "--class=actionable (equals form)" \
-  || no "--class=actionable (equals form)" "got=[$got] want=[$want]"
-
-# 4. -C short form.
-got=$(run -s mos -C human -m "from a person")
-want='[a:src -> dsthost:mos class=human] from a person'
-[ "$got" = "$want" ] && ok "-C human (short form)" \
-  || no "-C human (short form)" "got=[$got] want=[$want]"
-
-# 5. invalid class => exit 3, no send.
-if out=$(run -s mos --class bogus -m "x" 2>/dev/null); then
-  no "invalid class rejected" "expected non-zero exit, got 0 (out=[$out])"
-else
-  rc=$?
-  [ "$rc" = 3 ] && [ -z "$out" ] && ok "invalid class => exit 3, nothing sent" \
-    || no "invalid class => exit 3, nothing sent" "rc=$rc out=[$out]"
-fi
-
-# 6. --class with no value => exit 3.
-if run -s mos -m "x" --class 2>/dev/null; then
-  no "--class with no value rejected" "expected non-zero exit, got 0"
-else
-  [ "$?" = 3 ] && ok "--class with no value => exit 3" || no "--class with no value => exit 3" "wrong rc"
-fi
-
-# 7. consumer grammar parses every class + classic line.
-for c in terminal-log actionable human reaction; do
-  line=$(run -s mos --class "$c" -m "body $c")
-  [[ "$line" =~ $GRAMMAR ]] && [ "${BASH_REMATCH[3]}" = "$c" ] && [ "${BASH_REMATCH[4]}" = "body $c" ] \
-    && ok "grammar parses class=$c" || no "grammar parses class=$c" "line=[$line]"
-done
-classic=$(run -s mos -m "plain body")
-[[ "$classic" =~ $GRAMMAR_NOCLASS ]] && [ "${BASH_REMATCH[3]}" = "plain body" ] \
-  && ok "grammar (no-class) parses classic line" || no "grammar (no-class) parses classic line" "line=[$classic]"
-
-echo "---"
-echo "PASS=$PASS FAIL=$FAIL"
-[ "$FAIL" -eq 0 ]

packages/mosaic/framework/tools/woodpecker/_lib.sh

@@ -12,7 +12,7 @@ wp_resolve_repo_id() {
   local full_name="$1"
   local response http_code body repo_id
 
-  response=$(curl -sk -w "\n%{http_code}" \
+  response=$(curl -sS -w "\n%{http_code}" \
     -H "Authorization: Bearer $WOODPECKER_TOKEN" \
     "${WOODPECKER_URL}/api/repos/lookup/${full_name}")
 

packages/mosaic/framework/tools/woodpecker/pipeline-list.sh

@@ -48,7 +48,7 @@ fi
 # Resolve owner/repo to numeric ID (Woodpecker v3 API)
 REPO_ID=$(wp_resolve_repo_id "$REPO") || exit 1
 
-response=$(curl -sk -w "\n%{http_code}" \
+response=$(curl -sS -w "\n%{http_code}" \
   -H "Authorization: Bearer $WOODPECKER_TOKEN" \
   "${WOODPECKER_URL}/api/repos/${REPO_ID}/pipelines?perPage=${LIMIT}")
 

packages/mosaic/framework/tools/woodpecker/pipeline-status.sh

@@ -50,7 +50,7 @@ REPO_ID=$(wp_resolve_repo_id "$REPO") || exit 1
 _wp_fetch() {
   local ep="$1"
   local resp http_code body
-  resp=$(curl -sk -w "\n%{http_code}" \
+  resp=$(curl -sS -w "\n%{http_code}" \
     -H "Authorization: Bearer $WOODPECKER_TOKEN" \
     "$ep")
   http_code=$(echo "$resp" | tail -n1)

packages/mosaic/framework/tools/woodpecker/pipeline-trigger.sh

@@ -46,7 +46,7 @@ REPO_ID=$(wp_resolve_repo_id "$REPO") || exit 1
 
 echo "Triggering pipeline for $REPO on branch $BRANCH..."
 
-response=$(curl -sk -w "\n%{http_code}" -X POST \
+response=$(curl -sS -w "\n%{http_code}" -X POST \
   -H "Authorization: Bearer $WOODPECKER_TOKEN" \
   -H "Content-Type: application/json" \
   -d "$(jq -n --arg b "$BRANCH" '{branch: $b}')" \