policy: enforce squash-only merges with linear history (#122)

AGENTS.md

@@ -42,15 +42,33 @@ Read [`CLAUDE.md`](CLAUDE.md) for architecture patterns and conventions.
 Every commit to `main` must arrive via a merged Pull Request. No agent, no human,
 no orchestrator pushes directly to main.
 
+### Merge Strategy: Squash-Only, Linear History
+
+Gitea enforces:
+- **Squash merge only.** No merge commits, no rebase merge. Every commit on
+  main is a single squashed commit from a PR. Clean, linear, auditable.
+- **Branch must be up-to-date.** If a PR is behind main, it cannot merge.
+  Rebase onto main, re-run tests, force-push the branch, then merge.
+- **Auto-delete branches** after merge. No stale branches.
+
 ### The Workflow
 ```
 1. Create a feature branch:  git checkout -b fix/my-thing
 2. Make changes, commit locally
-3. Run tests:                python3 -m pytest tests/ -x -q
+3. Run tests:                tox -e unit
 4. Push the branch:          git push --no-verify origin fix/my-thing
 5. Create PR via Gitea API or UI
 6. Verify tests pass (orchestrator checks this)
-7. Merge PR via API or UI
+7. Merge PR via API:         {"Do": "squash"}
+```
+
+If behind main before merge:
+```
+1. git fetch origin main
+2. git rebase origin/main
+3. tox -e unit
+4. git push --force-with-lease --no-verify origin fix/my-thing
+5. Then merge the PR
 ```
 
 ### Why This Exists
@@ -62,8 +80,10 @@ to all active worktrees.
 
 ### Orchestrator Responsibilities
 The Hermes loop orchestrator must:
-- Run `pytest -x -q` in each worktree BEFORE committing
+- Run `tox -e unit` in each worktree BEFORE committing
 - Never push to main directly — always push a feature branch + PR
+- Always use `{"Do": "squash"}` when merging PRs via API
+- If a PR is behind main, rebase and re-test before merging
 - Verify test results before merging any PR
 - If tests fail, fix or reject — never merge red