feat(control-plane,web): persist + surface the runner failure detail (#137)

[stephane-segning]

1. Summary

This PR changes:

• Adds migration 0016_task_error_detail.sql — a nullable error_detail TEXT column on tasks.
• Persists the runner's free-text status detail: set_task_status now takes detail: Option<&str> and writes it via COALESCE($4, error_detail); set_status passes update.detail through (it previously only logged and dropped it — the code literally said "not persisted yet"); both reaper call sites updated (the reaper's terminal-fail path records a reason).
• Exposes it: TaskRow.error_detail (selected by TASK_SELECT's t.*) so GET /tasks and GET /tasks/{id} return it.
• Web run detail page surfaces error_detail as a calm inline status line ("Review did not post: ") for failed runs and for succeeded-but-empty no-ops, so a silent no-op is tellable apart from a real clean review.

It solves:

• Source of truth: [Epic]: Trustworthy review agent v2 — native loop, richer findings, conversational commands, observability & feedback #137
• Failed / no-op reviews showed up green on the dashboard with no recorded reason. A live 14-day prod audit found 98 of 144 (~68%) "succeeded" PR-review tasks had posted nothing — failures swallowed as success, with the runner's detail only info!-logged and then dropped ("not persisted yet").

---

2. Intent

The intent of this PR is:

Stop discarding the runner's failure reason. A concurrent agent-runner PR makes the runner send a meaningful detail on failure; this PR persists that detail and surfaces it on the run detail page so an operator can tell why a review failed or posted nothing, instead of seeing a green run with no explanation. This is the persist + surface half of the fix for the silent-no-op problem (#137).

---

3. Scope

In Scope

• services/control-plane: migration 0016, db.rs (set_task_status signature + TaskRow.error_detail), http/internal.rs (set_status threading detail), queue/reaper.rs (call-site updates).
• apps/web: Task.error_detail type + run detail page rendering.

Out of Scope

• webhook.rs idempotency logic and the agent-runner itself (separate concurrent PRs).
• The succeeded/failed state machine — persisting + surfacing the reason is the core fix; the added "silent no-op" indicator on the web side is purely derived and additive.
• Running the migration against prod / deployment / ai-helm.

---

4. Verification

I verified this change by:

• Running automated tests
• Running manual tests
• Checking logs
• Checking metrics
• Testing error cases
• Testing permissions/security behavior
• Testing rollback or failure behavior, if relevant

A new DB test (set_task_status_persists_and_preserves_detail) covers the error case: a reported detail is persisted, and a later detail-less report does not erase the recorded reason (COALESCE).

Commands run:

cargo fmt -p control-plane -- --check
cargo clippy -p control-plane --all-targets -- -D warnings
cargo test -p control-plane   # DB tests against local pgvector
pnpm --filter web lint
pnpm --filter web build

Results:

$ cargo fmt -p control-plane -- --check
FMT_EXIT=0

$ cargo clippy -p control-plane --all-targets -- -D warnings
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 22.32s
CLIPPY_EXIT=0

$ cargo test -p control-plane
test db::tests::set_task_status_stamps_and_releases ... ok
test db::tests::set_task_status_persists_and_preserves_detail ... ok
test result: ok. 60 passed; 0 failed; 1 ignored; 0 measured; 0 filtered out

$ pnpm --filter web lint
$ biome check .
Checked 54 files in 24ms. No fixes applied.

$ pnpm --filter web build
├ ƒ /dashboard/runs/[id]                 2.97 kB         116 kB
✓ Compiled successfully

---

5. Screenshots / Evidence

• Prod evidence: 98/144 (~68%) "succeeded" PR-review tasks over 14 days posted nothing.
• Code evidence: the dropped-detail comment in http/internal.rs (StatusUpdate.detail — "not persisted yet") is now removed and the value is persisted.

---

6. Risk Assessment

Risk level:

• Low
• Medium
• High

Potential risks:

• Additive nullable column + a widened function signature; no state-machine change.
• Migration is ADD COLUMN IF NOT EXISTS — idempotent and backward-compatible (older rows read NULL).

Mitigation:

• COALESCE write semantics ensure a later report can't erase a recorded reason; covered by a test.
• Web rendering guards on presence (error_detail truthy), so existing clean runs are unaffected.

---

7. AI Usage Declaration

AI was used for:

• Understanding existing code
• Generating code
• Refactoring
• Generating tests
• Drafting documentation
• Reviewing the diff
• Not used

Human verification:

• I understand every meaningful change in this PR
• I checked generated code manually
• I checked generated tests manually
• I removed unsupported AI assumptions
• I accept responsibility for this PR

---

8. Reviewer Focus

Please focus your review on:

• Correctness
• Architecture
• Security
• Performance
• Tests
• Maintainability
• Product intent
• Edge cases

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[github-actions]

✅ AI Governance check passed

This PR declares AI usage, references a source of truth, and provides verification evidence. Thank you.

[gemini-code-assist]

Code Review

This pull request introduces persistence and frontend visualization for the runner's free-text status reason (error_detail), preventing silent failures or no-ops from being mistaken for successful reviews. However, a critical issue was identified in the database status update logic: when a task is retried and transitions back to running, the previous attempt's error_detail is not cleared. This can lead to successful retried runs being incorrectly flagged as silent no-ops on the dashboard. A suggestion has been provided to clear the error detail upon transitioning to the running state.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[stephane-segning]

@lightbridge-assistant please review this

[stephane-segning]

@lightbridge-assistant please review this again