fix: 405 treated as merge success + STATE.md push dismissed approvals

Root cause: Two bugs combined to silently close PRs without merging.

1. HTTP 405 ('not allowed to merge') was in the success condition
   alongside 200/204. Codeberg returns 405 when branch protection
   blocks the merge (e.g., stale approvals).

2. append_state_log pushed a new commit AFTER review_bot approved,
   but BEFORE the merge attempt. With dismiss_stale_approvals=true,
   the new commit automatically dismissed the approval → 405.

Impact: 6 PRs (#683, #688, #692, #695, #696, #699) were 'merged'
(logged as success, branch deleted, issue closed) but never actually
merged into master. All work was lost.

Fixes:
- Remove 405 from merge success check
- Move STATE.md append out of pre-merge path

dev/dev-agent.sh

@@ -917,7 +917,7 @@ do_merge() {
     "${API}/pulls/${PR_NUMBER}/merge" \
     -d '{"Do":"merge","delete_branch_after_merge":true}')
 
-  if [ "$http_code" = "200" ] || [ "$http_code" = "204" ] || [ "$http_code" = "405" ]; then
+  if [ "$http_code" = "200" ] || [ "$http_code" = "204" ]; then
     log "PR #${PR_NUMBER} merged!"
 
     curl -sf -X DELETE \
@@ -1131,10 +1131,12 @@ ${CI_ERROR_LOG:-No logs available. Use ci-debug.sh to query the pipeline.}
       fi
 
       if [ "$VERDICT" = "APPROVE" ]; then
-        append_state_log
-        # Re-read SHA after STATE.md commit
-        CURRENT_SHA=$(cd "${WORKTREE:-$REPO_ROOT}" && git rev-parse HEAD)
+        # NOTE: STATE.md append moved to AFTER merge.
+        # Pushing before merge creates a new commit that dismisses
+        # the stale approval (dismiss_stale_approvals=true), causing
+        # 405 "not enough approvals" on merge.
         do_merge "$CURRENT_SHA"
+        # If merge succeeded, append_state_log was already called inside do_merge
       fi
 
       [ -n "$VERDICT" ] && break