Rebound Sprint — 2026-05-12

Context: On 2026-05-12 ~05:00 UTC, a naive conflict-resolver script (/tmp/auto-rebase.sh) applied YAML-style "concat both halves" resolution to Python, SQL, and JS files. Seven PRs landed on main with literal conflict markers in source. Emergency recovery PR #1781 reverts all seven and restores __init__.py. This document is the dispatch plan for re-merging the seven reverted PRs and draining 30+ additional backlog cards — path-isolated so no two PRs in the same burst touch the same file.

Root cause reminder: feedback_no_naive_conflict_resolver.md — never apply a single "strip markers" resolver across file types. Python, SQL, and JS require per-type-aware resolution or human review. Sequential merge (rebase one, land it, refetch main, rebase next) eliminates most collisions at source.

Rule for all bursts: Within a burst, NO TWO PRs may touch the same file. Between bursts, wait for all PRs in the prior burst to merge before dispatching the next burst.

Section A: The 7 Reverted PRs — Re-Merge Queue (top priority)

These must merge sequentially, one-at-a-time, each after #1781 has landed and a fresh git fetch origin main has been run. The original branches no longer exist on origin; each PR must be re-cut from the last-merged base.

Prerequisite: #1781 merges first. Do not start this queue until CI is green on clean main.

Dependency analysis (from PR file manifests)

Re-merge protocol per PR

1. Fetch clean main: git fetch origin main && git checkout main && git reset --hard origin/main
2. Re-cut the feature branch from main (re-apply or cherry-pick original commits — do NOT use auto-rebase.sh)
3. Run python3 -c "import ast; ast.parse(open('backend_v2/api/__init__.py').read())" — must not raise
4. Run scripts/ci/run_smoke.sh locally
5. Open new PR targeting main, push, wait for CI green
6. Merge — then repeat from step 1 for the next PR

Hard constraint: __init__.py and feature_flags.yaml appear in almost every one of these seven PRs. Sequential merge is the ONLY safe path. Do not batch any two of these in parallel.

Section B: The 30+ New Slate — Path-Isolated Bursts

All bursts below are gated on Section A completing first (clean main after all 7 re-merges). Within each burst, file paths are non-overlapping.

Migration numbering note: console/migrations/versions/ filenames use a sequential prefix (00XX_). When two PRs both add a new migration file with the same prefix, they collide. The safest practice is to assign migration numbers at dispatch time from the current head, not in the card. Each burst that includes a migration-adding PR must merge sequentially within itself — see Section C for the full exclusion list.

Burst 1 — getraxx.com marketing site (purely frontend/getraxx-landing/ or getraxx pages in Antlers)

All cards touch only the getraxx landing surface. None touch __init__.py, feature_flags.yaml, or console migrations.

Burst 1 conflict note: #1613 is gated on an operator decision (mockup variant). If that decision is not yet recorded on #1613, do not dispatch it in this burst — dispatch #593 and #578 without it. #578 (Backtest consolidation) is grouped here because it touches Antlers pages but nothing shared with getraxx — it can run alongside #593 safely.

Burst 2 — DevOps / CI / IaC (touches only .github/, terraform/, scripts/ci/)

No application code files. No __init__.py, feature_flags.yaml, or console migrations.

Burst 2 conflict note: #726 and #335 both touch .github/workflows/. Assign them to different workflow files at dispatch time, or merge them sequentially within this burst. If they must touch the same workflow file, promote to Section C (solo merge). #708 has an open PR (#1759) — verify #1759 is not already merged before dispatching #708 again.

Burst 3 — Docs only (touches only docs/)

Pure markdown. No application code. No shared state. All can run in parallel safely.

Burst 3 conflict note: #502 may write to the existing docs/architecture/workflow-uuid-tracing.md. If any other burst-3 card also modifies that file, split into separate burst slots. Based on current data no other burst-3 card touches that file.

Burst 4 — Console UI / Flask (touches only console/app/)

No Raptor (backend_v2/) code. No Antlers (frontend/trademaster_ui/) code. Console migrations are gated to Section C.

Burst 4 conflict note: All three cards touch isolated console files. #925 touches console/app/services/rotation_handlers/heroku.py only; #350 touches console/app.json; #454 touches vault configuration (out-of-repo) + docs. Zero overlap — all three can run in parallel.

Burst 5 — Antlers feature pages (each PR owns a distinct page subtree)

Each PR below is scoped to a dedicated page directory or isolated component file. None touch App.js, package.json, or shared components.

Burst 5 conflict note: #474 touches SetupWizard/ only. #488/#1776 touches pages/Demo/ only. #663 touches frontend/support/src/pages/TicketDetail/ only. #664 touches frontend/support/src/pages/NewTicket/ only. These are four fully distinct directories — parallel-safe. Do not dispatch #488 if PR #1776 is still open and un-merged.

Burst 6 — Backend new-module additions (isolated new files, no __init__.py or feature_flags.yaml)

These PRs each add a NEW module file and do NOT register it in __init__.py or touch feature_flags.yaml. This is the highest-risk burst — every card must be individually audited before dispatch to confirm no shared-file additions have crept in.

Gate check before dispatch: For each PR, run gh pr view <N> --json files and confirm zero overlap with backend_v2/api/__init__.py and backend_v2/api/feature_flags.yaml. If a card's scope statement says "register blueprint in __init__.py" or "add flag to feature_flags.yaml", it is disqualified from this burst and promoted to Section C.

Burst 6 conflict note: All five cards add files in distinct directories or non-overlapping services. None should touch __init__.py or feature_flags.yaml — but this MUST be confirmed at dispatch time by inspecting the actual branch diff. Any deviation from the scope statement requires promotion to Section C.

Burst 7 — Raptor support API (backend_v2/api/routes/support.py series, no cross-file collision if each is scoped to its own route file)

The support.raxx.app sub-cards (#652–#659, #1005–#1012) form a natural sequence. Most can be parallelized within their surface:

Burst 7 conflict note: #652 is docs-only and can run in Burst 3 instead. #654 likely requires editing backend_v2/app.py (blueprint registration) — promote to Section C unless the developer can confirm the registration is handled via auto-discovery. Sub-cards #656–#658, #1005–#1012 are sequentially dependent on the portal SPA (#655) being present first; queue them after Burst 7 lands.

Burst 8 — Security / trace schema infrastructure (sequential-within-burst due to migration numbering)

These cards add Postgres migrations. Migration file prefix collisions are guaranteed if dispatched in parallel — treat each as solo within this burst.

Burst 8 conflict note: #514 (Timescale migration) is the riskiest card in the entire sprint. Per the card's own scope: "run during a maintenance window; test on staging first." This card must be the last in Burst 8 and must have a pre-merge staging validation step. Do not run it in any parallel group.

Section C: Hard Exclusions — Solo Merge Only

These files, if touched by any PR, automatically disqualify that PR from any burst. It must merge alone, with a fresh git fetch origin main before its branch is cut.

C.1 Always-solo files

C.2 PRs confirmed to need solo merge (from open PR file manifests)

C.2 Rule for adding flags

Any PR that adds a new entry to feature_flags.yaml MUST also include the console_flag_promotions migration (00XX_promote_*.py) in the same PR. Per feedback_new_flag_needs_b1_migration_same_pr.md — this has caused B1 gate failures four times. The migration file prefix must be assigned at dispatch time from the current head migration number to avoid collisions.

Section D: Dispatch Sequence

Estimated cadence: ~25 min per burst (10 min dispatch + 15 min CI + merge wave). Solo merges: ~20 min each.

UTC         Action
----        ------
After #1781 merges (target: 05:30 UTC 2026-05-12)

06:00       Section A begins — sequential re-merge queue
            Merge #1764 (demo propose) — wait for CI
06:25       Merge #1770 (consent schema) — wait for CI
06:50       Merge #1768 (shadow aggregator) — wait for CI
07:15       Merge #1772 (passkey gate) — wait for CI
07:40       Merge #1766 (demo session API) — depends on #1764
08:05       Merge #1765 (re-opt-in flow) — depends on #1770
08:30       Merge #1771 (device mgmt UI) — depends on #1772 + #1768

09:00       CHECKPOINT — confirm clean main (AST parse __init__.py; smoke passes)

09:00       Burst 3 dispatch (docs-only — zero risk; run first for quick wins)
            #502, #479, #596, #649, #1161 — all parallel
09:25       Burst 3 merge wave

09:30       Burst 1 dispatch (getraxx marketing pages)
            #593, #578 in parallel; #1613 only if operator variant decision is recorded
09:55       Burst 1 merge wave

10:00       Burst 2 dispatch (DevOps/CI/IaC)
            #726, #536 in parallel; #335 and #708 confirm not already merged
10:25       Burst 2 merge wave

10:30       Burst 4 dispatch (console UI — isolated console files)
            #925, #350, #454 in parallel
10:55       Burst 4 merge wave

11:00       Burst 5 dispatch (Antlers feature pages — distinct page directories)
            #474, #663, #664 in parallel; #488 only if [PR #1776](https://github.com/raxx-app/TradeMasterAPI/pull/1776) not already open/merged
11:25       Burst 5 merge wave

11:30       Burst 6 dispatch (backend new-module additions — gate check required)
            Run gh pr files check before each dispatch; #503, #504, #505, #506, #484 in parallel
            ABORT any card whose diff shows __init__.py or feature_flags.yaml — promote to Section C queue
11:55       Burst 6 merge wave

12:00       Section C solo queue begins (open PRs: #1774, #1775, #1776, #1777, #1778, #1780)
            Each gets its own 20-min slot with fresh main fetch before branch cut
            Order: #1775 → #1776 → #1774 → #1777 → #1778 → #1780
            (demo backend before demo UI; RBAC gate before backup codes; GDPR delete last — widest blast radius)

13:40       Burst 7 dispatch (support.raxx.app surface)
            #652 (docs) in Burst 3 already; #653 (DNS+deploy), #655 (SPA) in parallel
            #654 — solo if it touches backend_v2/app.py
14:05       Burst 7 merge wave

14:10       Burst 8 dispatch (trace schema infrastructure — sequential within burst)
            #515 (key provisioning, mostly ops) — dispatch and merge
            #512 (admin notify, no migration) — dispatch and merge
            #508 (admin replay + trace_snapshots migration) — dispatch and merge
            #509 (user trace API + migration) — dispatch and merge
            #514 (Timescale hypertable) — LAST; staging gate required; maintenance window

Estimated wall time to fully drain: ~9 hours from #1781 merge (05:30 → ~14:30 UTC 2026-05-12)

Critical path items: - #1781 merge is the single earliest gate; everything blocks on it - Section A's 7 sequential re-merges are the longest sequential chain (~2.5 hours) - #514 (Timescale) requires staging validation — may slip to 2026-05-13 if staging is unavailable

Section E: Pre-Dispatch Checklist Per Burst

Before dispatching any burst (copy this into the dispatch comment):

• [ ] git fetch origin main && python3 -c "import ast; ast.parse(open('backend_v2/api/__init__.py').read()); print('PARSE OK')" — must print PARSE OK
• [ ] scripts/ci/run_smoke.sh passes on current main
• [ ] gh pr list --state open — confirm no open PR from a prior burst is still pending merge (do not start a new burst with a partially-merged prior burst)
• [ ] For any Burst 6 card: gh pr view <N> --json files — confirm no __init__.py or feature_flags.yaml in the file list before dispatch
• [ ] For any card adding a console migration: assign migration prefix from ls console/migrations/versions/ | sort | tail -1 and confirm it is one higher than current max

Section F: Cards Not Yet Ready for Dispatch

These cards appeared in the ready-for-dev list but have open blockers:

Appendix: File-to-Burst Quick Reference