@link-assistant/hive-mind 1.78.7 → 1.78.9

package/CHANGELOG.md

@@ -1,5 +1,82 @@
 # @link-assistant/hive-mind
 
+## 1.78.9
+
+### Patch Changes
+
+- a3d4d41: fix(isolation): use native Docker isolation and seed the nested daemon for `--isolation docker` (#1914)
+
+  Two problems made `--isolation docker` behave wrong on the Docker-in-Docker bot
+  host:
+  1. **It wasn't real Docker isolation.** Hive Mind launched isolated tasks as
+     `$ --isolated screen -- docker run …`, so `$ --status` reported
+     `options / isolated screen` — a screen wrapper around a raw `docker run`, not
+     the native Docker backend. Hive Mind now builds
+     `$ --isolated docker --image <img> [--privileged] --shell sh … --detached --session <uuid> -- '<cmd>'`,
+     so start-command owns the container lifecycle and `--status` reports real
+     Docker isolation.
+  2. **The 30+ GB image was re-downloaded for every task.** The bot runs inside a
+     DinD container whose nested `dockerd` starts with an empty image store. box
+     can seed that daemon from the host (host-image passthrough), but only when the
+     host Docker socket is bind-mounted — and when it isn't, passthrough is a
+     _silent_ no-op, so the first isolated task pulled the whole image from the
+     registry. Hive Mind now runs a startup preflight (`preflightDockerIsolation`)
+     that probes the nested daemon and, when the image is absent, prints the exact
+     remediation (mount `/var/run/docker.sock` + set `DIND_HOST_PASSTHROUGH_IMAGES`,
+     or run `scripts/preload-dind-isolation-image.mjs`). The production deploy
+     script was the real root cause — its `docker run` never mounted the host
+     socket — and has been fixed to pass `-v /var/run/docker.sock:…:ro` plus the
+     allowlist.
+
+  Also filed the silent-passthrough footgun upstream as link-foundation/box#102
+  (warn when an allowlist is set but no socket is mounted) — **now fixed and shipped
+  in box v2.3.2** — and bumped this repo's base images from `konard/box:2.3.1` /
+  `konard/box-dind:2.3.1` to `2.3.2` so the upstream warning ships at the source.
+  Added a deep case study with the full reproduction, timeline, and root-cause
+  analysis under `docs/case-studies/issue-1914`.
+
+## 1.78.8
+
+### Patch Changes
+
+- cb4986f: Close linked issues when a PR is merged into a non-default branch, and stop misreporting the cause (#1895).
+
+  GitHub only registers a PR's `closingIssuesReferences` and auto-closes the linked
+  issue when the PR targets the repository's **default branch**. PRs created against a
+  stacked / sub-issue branch (e.g. `issue-47-…` via `--base-branch`) therefore showed
+  an empty closing-reference connection and left their issues open after merge — the
+  exact failure reported for meta-language PRs #65/#66 / issues #49/#50.
+  - src/github-issue-auto-close.lib.mjs (new): `gitHubAutoClosesOnMerge`,
+    `classifyIssueLinkStatus`, `buildNonDefaultBranchExplanation`, and
+    `ensureLinkedIssueClosedAfterMerge` — diagnose why a closing reference is missing
+    and explicitly close the linked issue after a non-default-base merge (no-op when
+    GitHub already handles it, the keyword is absent, or the issue is already closed).
+  - src/solve.auto-pr.lib.mjs: replace the misleading "ISSUE LINK MISSING — add
+    Fixes #N" warning with an accurate "ISSUE LINK DEFERRED" explanation when the
+    keyword is present but the PR targets a non-default branch.
+  - src/solve.auto-continue.lib.mjs (`collectIssuePrCandidates`): detect the existing
+    PR for an issue by BOTH GitHub's `linked:issue` search (legacy, preserved) and the
+    deterministic `head:issue-N-` branch search. A PR targeting a non-default base
+    branch never appears in `linked:issue`, so `--auto-continue` previously failed to
+    resume it and risked creating a duplicate; the head-branch search guarantees the
+    PR↔issue association regardless of base branch.
+  - src/solve.auto-merge.lib.mjs (watchUntilMergeable + attemptAutoMerge),
+    src/github-merge.lib.mjs / src/github-merge-issue-close.lib.mjs
+    (`closeLinkedIssueIfNotAutoClosed`, used by the /merge queue), and
+    src/telegram-merge-queue.lib.mjs: close the linked issue explicitly after a merge
+    into a non-default branch. All gh calls route through the rate-limit-aware wrappers.
+  - tests/github-issue-auto-close.test.mjs: 14 cases reproducing the non-default-base
+    bug and verifying the diagnosis + fallback.
+  - tests/solve-auto-continue-detection-1895.test.mjs: 7 cases proving non-default-base
+    PRs are detected for auto-continue (head-branch search), legacy linked detection is
+    preserved, results are deduped/merged, and search failures degrade gracefully.
+  - docs/case-studies/issue-1895: deep case study with downloaded GraphQL/PR/issue
+    evidence, reconstructed timeline, root-cause analysis, requirement mapping, and the
+    external-reporting decision. Includes `github-api-linking-research.md` — a
+    definitive, introspection-backed answer to "is there an API to link a PR to an
+    issue?" (no: confirmed via live GraphQL schema introspection), with the gap
+    reported upstream (GitHub Community discussions #112224 / #155339 / #179613).
+
 ## 1.78.7
 
 ### Patch Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-assistant/hive-mind",
-  "version": "1.78.7",
+  "version": "1.78.9",
   "description": "AI-powered issue solver and hive mind for collaborative problem solving",
   "main": "src/hive.mjs",
   "type": "module",

package/src/github-issue-auto-close.lib.mjs

@@ -0,0 +1,240 @@
+#!/usr/bin/env node
+
+/**
+ * GitHub Issue Auto-Close Diagnosis & Fallback Library
+ *
+ * Root cause of issue #1895:
+ * GitHub only registers a pull request's closing references (the
+ * `closingIssuesReferences` GraphQL connection) and only auto-closes the
+ * referenced issues when the pull request targets the repository's
+ * **default branch**. When a PR uses a closing keyword such as
+ * `Fixes #49` / `Closes #50` but targets a non-default branch (for example a
+ * stacked / sub-issue branch like `issue-47-...`), GitHub:
+ *
+ *   1. leaves `closingIssuesReferences` empty, so automatic linking detection
+ *      reports "ISSUE LINK MISSING" even though the keyword is present, and
+ *   2. does not close the linked issue when the PR is merged, so the PR is
+ *      "closed without its issue to be closed as well".
+ *
+ * This module provides:
+ *   - pure helpers to diagnose *why* a closing reference is missing, and
+ *   - an action helper that explicitly closes the linked issue after a merge
+ *     into a non-default branch, where GitHub would not do it for us.
+ *
+ * @see https://github.com/link-assistant/hive-mind/issues/1895
+ * @see https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue
+ */
+
+import { prClosesIssue, extractLinkedIssueNumber } from './github-linking.lib.mjs';
+import { wrapDollarWithGhRetry } from './github-rate-limit.lib.mjs';
+
+/**
+ * Determine whether GitHub will automatically close a PR's linked issues when
+ * the PR is merged, based on the branch it targets.
+ *
+ * GitHub only auto-closes linked issues for PRs merged into the repository's
+ * default branch.
+ *
+ * @param {string|null|undefined} baseBranch - The branch the PR targets (baseRefName)
+ * @param {string|null|undefined} defaultBranch - The repository's default branch
+ * @returns {boolean|null} true if GitHub will auto-close, false if it will not,
+ *   or null when the answer cannot be determined (missing input).
+ */
+export function gitHubAutoClosesOnMerge(baseBranch, defaultBranch) {
+  if (!baseBranch || !defaultBranch) {
+    return null;
+  }
+  return String(baseBranch).trim() === String(defaultBranch).trim();
+}
+
+/**
+ * Classify the issue-linking status of a pull request so callers can emit an
+ * accurate diagnostic instead of the misleading "add Fixes #N" advice when the
+ * keyword is already present.
+ *
+ * @param {Object} options
+ * @param {string|null} [options.prBody] - Pull request body
+ * @param {string|null} [options.prTitle] - Pull request title
+ * @param {string|number} options.issueNumber - Issue the PR should close
+ * @param {string|null} [options.owner] - Repository owner (for cross-repo refs)
+ * @param {string|null} [options.repo] - Repository name (for cross-repo refs)
+ * @param {string|null} [options.baseBranch] - Branch the PR targets
+ * @param {string|null} [options.defaultBranch] - Repository default branch
+ * @param {boolean} [options.githubLinked] - Whether GitHub already reports the
+ *   issue in `closingIssuesReferences`
+ * @returns {{
+ *   hasClosingKeyword: boolean,
+ *   githubLinked: boolean,
+ *   autoCloses: boolean|null,
+ *   targetsNonDefaultBranch: boolean,
+ *   requiresManualClose: boolean,
+ *   reason: string,
+ * }}
+ */
+export function classifyIssueLinkStatus({ prBody = '', prTitle = '', issueNumber, owner = null, repo = null, baseBranch = null, defaultBranch = null, githubLinked = false } = {}) {
+  const hasClosingKeyword = prClosesIssue(prBody, issueNumber, owner, repo) || prClosesIssue(prTitle, issueNumber, owner, repo);
+  const autoCloses = gitHubAutoClosesOnMerge(baseBranch, defaultBranch);
+  const targetsNonDefaultBranch = autoCloses === false;
+
+  let reason;
+  let requiresManualClose = false;
+
+  if (githubLinked) {
+    reason = 'github-linked';
+  } else if (!hasClosingKeyword) {
+    // The keyword is genuinely absent — the historical advice applies.
+    reason = 'missing-keyword';
+  } else if (targetsNonDefaultBranch) {
+    // The keyword IS present, but the PR targets a non-default branch, so
+    // GitHub never registers the closing reference and will not auto-close.
+    reason = 'non-default-base-branch';
+    requiresManualClose = true;
+  } else {
+    // Keyword present, base looks like default (or unknown): GitHub is
+    // expected to register the link, possibly after a short delay.
+    reason = 'keyword-present-link-pending';
+  }
+
+  return {
+    hasClosingKeyword,
+    githubLinked: Boolean(githubLinked),
+    autoCloses,
+    targetsNonDefaultBranch,
+    requiresManualClose,
+    reason,
+  };
+}
+
+/**
+ * Build the human-readable lines that explain a non-default-base-branch linking
+ * failure. Shared so solve and merge code paths print the same explanation.
+ *
+ * @param {Object} options
+ * @param {string|number} options.issueNumber
+ * @param {string} options.baseBranch
+ * @param {string} options.defaultBranch
+ * @param {string} [options.issueRef] - Display reference such as `#49` or `owner/repo#49`
+ * @returns {string[]}
+ */
+export function buildNonDefaultBranchExplanation({ issueNumber, baseBranch, defaultBranch, issueRef = `#${issueNumber}` }) {
+  return [`The PR closing keyword for ${issueRef} is present, but the PR targets the`, `non-default branch '${baseBranch}' (the repository default is '${defaultBranch}').`, 'GitHub only registers closing references and auto-closes linked issues for', 'pull requests merged into the default branch, so:', `  • the automatic link to issue ${issueRef} will not appear, and`, `  • issue ${issueRef} will NOT be closed automatically when this PR merges.`, 'hive-mind will close the linked issue explicitly after the merge instead.'];
+}
+
+/**
+ * After a PR has been merged, ensure the linked issue is closed when GitHub will
+ * not do it automatically (i.e. the PR targeted a non-default branch).
+ *
+ * This is a no-op (returns a skipped result) when:
+ *   - GitHub will auto-close the issue (PR merged into the default branch), or
+ *   - the PR body/title does not contain a closing keyword for the issue, or
+ *   - the issue is already closed.
+ *
+ * @param {Object} options
+ * @param {Function} options.$ - command-stream `$` exec helper
+ * @param {Function} [options.log] - async logger
+ * @param {string} options.owner
+ * @param {string} options.repo
+ * @param {string|number} options.prNumber
+ * @param {string|number|null} [options.issueNumber] - Issue the PR should close
+ *   (derived from the PR body closing keyword when omitted)
+ * @param {string|null} [options.baseBranch] - Branch the PR targeted (fetched if omitted)
+ * @param {string|null} [options.defaultBranch] - Repo default branch (fetched if omitted)
+ * @param {string|null} [options.prBody] - PR body (fetched if omitted)
+ * @param {string|null} [options.prTitle] - PR title (fetched if omitted)
+ * @param {boolean} [options.verbose]
+ * @returns {Promise<{closed: boolean, skipped: boolean, reason: string, error?: string}>}
+ */
+export async function ensureLinkedIssueClosedAfterMerge({ $: rawDollar, log = null, owner, repo, prNumber, issueNumber = null, baseBranch = null, defaultBranch = null, prBody = null, prTitle = null, verbose = false }) {
+  // Issue #1726: route every `gh ...` call through the rate-limit-aware wrapper.
+  const $ = wrapDollarWithGhRetry(rawDollar);
+  const note = async message => {
+    if (log) {
+      await log(message, { verbose: true });
+    } else if (verbose) {
+      console.log(message);
+    }
+  };
+
+  if (!owner || !repo || !prNumber) {
+    return { closed: false, skipped: true, reason: 'missing-parameters' };
+  }
+
+  try {
+    // Fetch PR metadata (base branch, body, title) if not provided.
+    if (baseBranch === null || prBody === null || prTitle === null) {
+      const prView = await $`gh pr view ${prNumber} --repo ${owner}/${repo} --json baseRefName,body,title`;
+      if (prView.code === 0) {
+        const data = JSON.parse(prView.stdout.toString().trim() || '{}');
+        if (baseBranch === null) baseBranch = data.baseRefName ?? null;
+        if (prBody === null) prBody = data.body ?? '';
+        if (prTitle === null) prTitle = data.title ?? '';
+      }
+    }
+
+    // Derive the linked issue from the PR body when the caller did not supply it.
+    if (!issueNumber) {
+      issueNumber = extractLinkedIssueNumber(prBody || '') || extractLinkedIssueNumber(prTitle || '');
+    }
+    if (!issueNumber) {
+      await note(`[auto-close] PR #${prNumber} has no closing keyword identifying an issue; nothing to close`);
+      return { closed: false, skipped: true, reason: 'no-linked-issue' };
+    }
+
+    // Fetch the repository default branch if not provided.
+    if (defaultBranch === null) {
+      const repoView = await $`gh api repos/${owner}/${repo} --jq .default_branch`;
+      if (repoView.code === 0) {
+        defaultBranch = repoView.stdout.toString().trim() || null;
+      }
+    }
+
+    const status = classifyIssueLinkStatus({ prBody: prBody || '', prTitle: prTitle || '', issueNumber, owner, repo, baseBranch, defaultBranch });
+
+    if (status.autoCloses === true) {
+      await note(`[auto-close] GitHub will auto-close issue #${issueNumber} (PR #${prNumber} merged into default branch '${defaultBranch}')`);
+      return { closed: false, skipped: true, reason: 'github-auto-closes' };
+    }
+
+    if (!status.hasClosingKeyword) {
+      await note(`[auto-close] PR #${prNumber} has no closing keyword for issue #${issueNumber}; not closing it`);
+      return { closed: false, skipped: true, reason: 'no-closing-keyword' };
+    }
+
+    if (status.autoCloses === null) {
+      await note(`[auto-close] Could not determine base/default branch for PR #${prNumber}; leaving issue #${issueNumber} to GitHub`);
+      return { closed: false, skipped: true, reason: 'unknown-branch' };
+    }
+
+    // Check current issue state — do not act if it is already closed.
+    const issueState = await $`gh issue view ${issueNumber} --repo ${owner}/${repo} --json state,stateReason`;
+    if (issueState.code === 0) {
+      const data = JSON.parse(issueState.stdout.toString().trim() || '{}');
+      if (String(data.state).toUpperCase() === 'CLOSED') {
+        await note(`[auto-close] Issue #${issueNumber} is already closed`);
+        return { closed: false, skipped: true, reason: 'already-closed' };
+      }
+    }
+
+    // Close the issue explicitly, leaving an explanatory trail.
+    const comment = [`Closed by #${prNumber}, which targeted the non-default branch \`${baseBranch}\` (repository default: \`${defaultBranch}\`).`, '', 'GitHub only auto-closes linked issues for pull requests merged into the default branch,', 'so hive-mind closed this issue explicitly after the merge.', '', '_Automated by hive-mind ([#1895](https://github.com/link-assistant/hive-mind/issues/1895))._'].join('\n');
+
+    const closeResult = await $`gh issue close ${issueNumber} --repo ${owner}/${repo} --reason completed --comment ${comment}`;
+    if (closeResult.code === 0) {
+      if (log) {
+        await log(`🔗 Closed issue #${issueNumber} explicitly (PR #${prNumber} merged into non-default branch '${baseBranch}')`);
+      }
+      return { closed: true, skipped: false, reason: 'closed-explicitly' };
+    }
+
+    return { closed: false, skipped: false, reason: 'close-command-failed', error: closeResult.stderr?.toString?.() || 'unknown error' };
+  } catch (error) {
+    return { closed: false, skipped: false, reason: 'exception', error: error.message };
+  }
+}
+
+export default {
+  gitHubAutoClosesOnMerge,
+  classifyIssueLinkStatus,
+  buildNonDefaultBranchExplanation,
+  ensureLinkedIssueClosedAfterMerge,
+};

package/src/github-merge-issue-close.lib.mjs

@@ -0,0 +1,89 @@
+#!/usr/bin/env node
+/**
+ * GitHub Merge — Linked Issue Close Helper
+ *
+ * Issue #1895: After merging a PR, GitHub only auto-closes the linked issue when
+ * the PR targeted the repository's default branch. For PRs merged into a
+ * non-default branch (e.g. a stacked / sub-issue branch), the linked issue stays
+ * open even though the PR body contains a valid `Fixes #N` keyword. This helper
+ * closes the linked issue explicitly in that case.
+ *
+ * Extracted from github-merge.lib.mjs to keep that file under the 1500-line
+ * limit (same rationale as the Issue #1413 ready-sync split).
+ *
+ * @see https://github.com/link-assistant/hive-mind/issues/1895
+ */
+
+import { promisify } from 'util';
+import { exec as execCallback } from 'child_process';
+
+import { githubLimits } from './config.lib.mjs';
+import { ghWithRateLimitRetry } from './github-rate-limit.lib.mjs';
+import { extractLinkedIssueNumber } from './github-linking.lib.mjs';
+import { classifyIssueLinkStatus } from './github-issue-auto-close.lib.mjs';
+import { getDefaultBranch } from './github-merge.lib.mjs';
+
+const execRaw = promisify(execCallback);
+
+// Issue #1726: keep every gh call rate-limit safe (mirrors github-merge.lib.mjs).
+const exec = (cmd, opts = {}) =>
+  ghWithRateLimitRetry(() => execRaw(cmd, { maxBuffer: githubLimits.bufferMaxSize, ...opts }), {
+    label: `gh exec (${cmd.split(/\s+/).slice(0, 3).join(' ')})`,
+  });
+
+/**
+ * After merging a PR, explicitly close the linked issue when GitHub will not
+ * auto-close it (i.e. the PR targeted a non-default branch).
+ *
+ * @param {string} owner - Repository owner
+ * @param {string} repo - Repository name
+ * @param {number} prNumber - Merged pull request number
+ * @param {boolean} verbose - Whether to log verbose output
+ * @returns {Promise<{closed: boolean, skipped: boolean, reason: string, issueNumber?: number}>}
+ */
+export async function closeLinkedIssueIfNotAutoClosed(owner, repo, prNumber, verbose = false) {
+  try {
+    const { stdout: prJson } = await exec(`gh pr view ${prNumber} --repo ${owner}/${repo} --json baseRefName,body,title`);
+    const pr = JSON.parse(prJson.trim() || '{}');
+    const baseBranch = pr.baseRefName || null;
+    const prBody = pr.body || '';
+    const prTitle = pr.title || '';
+
+    const issueNumber = extractLinkedIssueNumber(prBody) || extractLinkedIssueNumber(prTitle);
+    if (!issueNumber) {
+      if (verbose) console.log(`[VERBOSE] /merge: PR #${prNumber} has no closing keyword; no issue to close`);
+      return { closed: false, skipped: true, reason: 'no-linked-issue' };
+    }
+
+    const defaultBranch = await getDefaultBranch(owner, repo, verbose);
+    const status = classifyIssueLinkStatus({ prBody, prTitle, issueNumber, owner, repo, baseBranch, defaultBranch });
+
+    if (status.autoCloses !== false) {
+      // GitHub handles it (default branch) or branch info is unknown.
+      if (verbose) console.log(`[VERBOSE] /merge: Issue #${issueNumber} will be handled by GitHub (base '${baseBranch}', default '${defaultBranch}')`);
+      return { closed: false, skipped: true, reason: status.autoCloses === true ? 'github-auto-closes' : 'unknown-branch', issueNumber: Number(issueNumber) };
+    }
+
+    // Skip if already closed.
+    try {
+      const { stdout: issueJson } = await exec(`gh issue view ${issueNumber} --repo ${owner}/${repo} --json state`);
+      const issue = JSON.parse(issueJson.trim() || '{}');
+      if (String(issue.state).toUpperCase() === 'CLOSED') {
+        if (verbose) console.log(`[VERBOSE] /merge: Issue #${issueNumber} already closed`);
+        return { closed: false, skipped: true, reason: 'already-closed', issueNumber: Number(issueNumber) };
+      }
+    } catch {
+      // If state lookup fails, fall through and attempt the close.
+    }
+
+    const comment = `Closed by #${prNumber}, which targeted the non-default branch \`${baseBranch}\` (repository default: \`${defaultBranch}\`).\n\nGitHub only auto-closes linked issues for pull requests merged into the default branch, so hive-mind closed this issue explicitly after the merge.\n\n_Automated by hive-mind ([#1895](https://github.com/link-assistant/hive-mind/issues/1895))._`;
+    await exec(`gh issue close ${issueNumber} --repo ${owner}/${repo} --reason completed --comment ${JSON.stringify(comment)}`);
+    if (verbose) console.log(`[VERBOSE] /merge: Closed issue #${issueNumber} explicitly (PR #${prNumber} merged into non-default branch '${baseBranch}')`);
+    return { closed: true, skipped: false, reason: 'closed-explicitly', issueNumber: Number(issueNumber) };
+  } catch (error) {
+    if (verbose) console.log(`[VERBOSE] /merge: Error closing linked issue for PR #${prNumber}: ${error.message}`);
+    return { closed: false, skipped: false, reason: 'exception', error: error.message };
+  }
+}
+
+export default { closeLinkedIssueIfNotAutoClosed };

package/src/github-merge.lib.mjs

@@ -42,6 +42,12 @@ const exec = (cmd, opts = {}) =>
 import { syncReadyTags, getLinkedPRsFromTimeline, READY_LABEL } from './github-merge-ready-sync.lib.mjs';
 export { syncReadyTags, getLinkedPRsFromTimeline, READY_LABEL };
 
+// Issue #1895: After merging into a non-default branch, close the linked issue
+// explicitly (GitHub only auto-closes for default-branch merges). Extracted to a
+// separate module to keep this file under the 1500-line limit.
+import { closeLinkedIssueIfNotAutoClosed } from './github-merge-issue-close.lib.mjs';
+export { closeLinkedIssueIfNotAutoClosed };
+
 /**
  * Check if 'ready' label exists in repository
  * @param {string} owner - Repository owner
@@ -1419,6 +1425,7 @@ export default {
   getActiveBranchRuns, // Issue #1307: New exports for target branch CI waiting
   waitForBranchCI,
   getDefaultBranch,
+  closeLinkedIssueIfNotAutoClosed, // Issue #1895: close linked issue after merge into non-default branch
   // Issue #1314: Billing limit detection and enhanced CI status and re-run capabilities
   getCheckRunAnnotations,
   getRepoVisibility,

package/src/isolation-runner.lib.mjs

@@ -32,13 +32,21 @@ const TERMINAL_SESSION_STATUSES = new Set(['executed', 'completed', 'failed', 'c
 const HIVE_MIND_IMAGE_REPO = 'konard/hive-mind';
 const HIVE_MIND_DIND_IMAGE_REPO = 'konard/hive-mind-dind';
 const DEFAULT_HIVE_MIND_IMAGE_TAG = 'latest';
-// Docker's `--pull` accepts these policies. We only emit the flag when an
-// operator explicitly opts in; otherwise Docker's own default ("missing")
-// applies and `docker run` reuses any locally present image. See issue #1879.
-const VALID_DOCKER_PULL_POLICIES = new Set(['always', 'missing', 'never']);
-const DOCKER_ISOLATION_TRACKING_BACKEND = 'screen';
 const DOCKER_CONTAINER_HOME = '/home/box';
-const DOCKER_CONTAINER_PREFIX = 'hive-mind-isolation';
+// Default path where the host Docker socket is bind-mounted inside a DinD
+// container so box's host-image passthrough can copy host images into the
+// nested daemon. Matches box's own DIND_HOST_DOCKER_SOCK default. The deploy
+// must mount it (`-v /var/run/docker.sock:/var/run/host-docker.sock:ro`) or the
+// nested daemon starts empty and the first isolated task pulls the full,
+// multi-gigabyte image. See issue #1914.
+const DEFAULT_HOST_DOCKER_SOCK = '/var/run/host-docker.sock';
+// Force a POSIX shell for the inner command of Docker-isolated tasks. solve/
+// hive/task live on the image's baked-in PATH, so `sh -c` resolves them without
+// needing a login shell. Forcing the shell (instead of start's 'auto') also
+// skips start's shell-detection probe, which would otherwise `docker run` a
+// throwaway container — booting the dind image's dockerd entrypoint — purely to
+// check whether bash exists. See issue #1914.
+const DOCKER_ISOLATION_SHELL = 'sh';
 
 function normalizeProcessIds(value) {
   if (!value || typeof value !== 'object') return {};
@@ -62,19 +70,10 @@ function shellQuote(value) {
   return `'${stringValue.replaceAll("'", "'\\''")}'`;
 }
 
-function shellDoubleQuote(value) {
-  return `"${String(value).replaceAll('\\', '\\\\').replaceAll('"', '\\"').replaceAll('$', '\\$').replaceAll('`', '\\`')}"`;
-}
-
 function buildShellCommand(command, args = []) {
   return [command, ...args].map(shellQuote).join(' ');
 }
 
-function makeDockerContainerName(sessionId) {
-  const normalizedSession = String(sessionId || crypto.randomUUID()).replace(/[^a-zA-Z0-9_.-]/g, '-');
-  return `${DOCKER_CONTAINER_PREFIX}-${normalizedSession}`;
-}
-
 function shouldRunPrivilegedDockerIsolation(image, env = process.env) {
   return String(env.HIVE_MIND_IMAGE_VARIANT || '').toLowerCase() === 'dind' || String(image || '').includes('hive-mind-dind');
 }
@@ -117,20 +116,15 @@ export function getDockerIsolationImage({ env = process.env } = {}) {
 }
 
 /**
- * Resolve the Docker `--pull` policy for isolated tasks.
- *
- * Returns one of `always` | `missing` | `never`, or `null` when unset (in which
- * case the `--pull` flag is omitted and Docker's default applies). Operators set
- * `HIVE_MIND_DOCKER_ISOLATION_PULL=never` to force reuse of an image already
- * present in the (possibly nested) daemon and fail fast instead of silently
- * re-downloading it. Invalid values are ignored. See issue #1879.
+ * Resolve the path where the host Docker socket is expected to be mounted inside
+ * a DinD container. box's entrypoint reads this socket to copy host images into
+ * the nested daemon (host-image passthrough). Defaults to
+ * `/var/run/host-docker.sock` and can be overridden with `DIND_HOST_DOCKER_SOCK`
+ * (the same variable box honors). See issue #1914.
  */
-export function getDockerIsolationPullPolicy({ env = process.env } = {}) {
-  const raw = String(env.HIVE_MIND_DOCKER_ISOLATION_PULL || '')
-    .trim()
-    .toLowerCase();
-  if (!raw) return null;
-  return VALID_DOCKER_PULL_POLICIES.has(raw) ? raw : null;
+export function resolveHostDockerSock({ env = process.env } = {}) {
+  const explicit = String(env.DIND_HOST_DOCKER_SOCK || '').trim();
+  return explicit || DEFAULT_HOST_DOCKER_SOCK;
 }
 
 /**
@@ -157,46 +151,63 @@ export function getDockerIsolationAuthMounts({ tool = 'claude', env = process.en
 }
 
 /**
- * Build the shell command executed inside a start-command wrapper session for
- * Docker isolation. The wrapper remains a start-command session so Telegram can
- * keep using the same status/log lifecycle while Hive Mind controls image and
- * auth mounts directly.
+ * Resolve the image-variant marker recorded inside the isolated container.
+ * A `hive-mind-dind` image is always the dind variant; otherwise fall back to
+ * the parent's `HIVE_MIND_IMAGE_VARIANT` (or `regular`).
  */
-export function buildDockerIsolationCommand(command, args = [], options = {}) {
+function resolveImageVariant(image, env = process.env) {
+  return image.includes('hive-mind-dind') ? 'dind' : env.HIVE_MIND_IMAGE_VARIANT || 'regular';
+}
+
+/**
+ * Build the `$` (start-command) arguments that launch a Docker-isolated task
+ * using start-command's NATIVE Docker backend (`$ --isolated docker`).
+ *
+ * Issue #1914: earlier versions wrapped a hand-rolled `docker run` inside a
+ * `screen` session (`$ --isolated screen -- docker run …`). That was *screen*
+ * isolation merely shelling out to Docker — not Docker isolation. We now hand
+ * the container lifecycle to start-command itself and only contribute the
+ * pieces Hive Mind must control: which image to run, privileged mode for the
+ * dind variant, the environment markers, and the credential mounts scoped to
+ * the selected tool.
+ *
+ * start-command's Docker backend reuses a locally present image and only pulls
+ * when it is missing (`docker run` with Docker's default "missing" pull
+ * policy), so a host image seeded into the nested daemon via box passthrough is
+ * reused instead of re-downloaded — no `--pull` plumbing required (issue #1879).
+ */
+export function buildDockerIsolationStartArgs(command, args = [], options = {}) {
   const { sessionId, tool = 'claude', env = process.env, homeDir = os.homedir(), existsSync = fs.existsSync } = options;
   const image = getDockerIsolationImage({ env });
-  const innerCommand = buildShellCommand(command, args);
-  const dockerArgs = ['docker', 'run', '--rm'];
-
-  // Reuse a locally present image instead of re-downloading it when the
-  // operator opts in. Omitted by default so Docker's "missing" policy applies.
-  const pullPolicy = getDockerIsolationPullPolicy({ env });
-  if (pullPolicy) {
-    dockerArgs.push('--pull', pullPolicy);
-  }
 
-  dockerArgs.push('--name', makeDockerContainerName(sessionId), '--workdir', DOCKER_CONTAINER_HOME, '-e', `HOME=${DOCKER_CONTAINER_HOME}`, '-e', `HIVE_MIND_PARENT_SESSION_ID=${sessionId || ''}`);
+  const startArgs = ['--isolated', 'docker', '--image', image];
 
   if (shouldRunPrivilegedDockerIsolation(image, env)) {
-    dockerArgs.push('--privileged');
+    startArgs.push('--privileged');
   }
 
-  const imageVariant = image.includes('hive-mind-dind') ? 'dind' : env.HIVE_MIND_IMAGE_VARIANT || 'regular';
-  dockerArgs.push('-e', `HIVE_MIND_IMAGE_VARIANT=${imageVariant}`);
+  // Force the inner shell so start-command does not probe the image to detect
+  // one (see DOCKER_ISOLATION_SHELL).
+  startArgs.push('--shell', DOCKER_ISOLATION_SHELL);
+
+  // The image already sets HOME=/home/box and WORKDIR /home/box; pass HOME
+  // explicitly anyway so the credential mounts under /home/box resolve even if
+  // a future image forgets to. start-command has no --workdir flag, so the
+  // working directory comes from the image's WORKDIR.
+  startArgs.push('-e', `HOME=${DOCKER_CONTAINER_HOME}`, '-e', `HIVE_MIND_PARENT_SESSION_ID=${sessionId || ''}`, '-e', `HIVE_MIND_IMAGE_VARIANT=${resolveImageVariant(image, env)}`);
 
   for (const mount of getDockerIsolationAuthMounts({ tool, env, homeDir, existsSync })) {
-    dockerArgs.push('--volume', `${mount.source}:${mount.target}`);
+    startArgs.push('--volume', `${mount.source}:${mount.target}`);
   }
 
-  dockerArgs.push(image, 'bash', '-lc');
-
-  return [...dockerArgs.map(shellQuote), shellDoubleQuote(innerCommand)].join(' ');
+  startArgs.push('--detached', '--session', sessionId, '--', buildShellCommand(command, args));
+  return startArgs;
 }
 
 export function buildStartCommandArgs(command, args = [], options = {}) {
   const { backend, sessionId } = options;
   if (backend === 'docker') {
-    return ['--isolated', DOCKER_ISOLATION_TRACKING_BACKEND, '--detached', '--session', sessionId, '--', buildDockerIsolationCommand(command, args, options)];
+    return buildDockerIsolationStartArgs(command, args, { ...options, sessionId });
   }
   return ['--isolated', backend, '--detached', '--session', sessionId, '--', buildShellCommand(command, args)];
 }
@@ -413,10 +424,11 @@ export async function executeWithIsolation(command, args, options = {}) {
     if (backend === 'docker') {
       const env = options.env || process.env;
       const image = getDockerIsolationImage({ env });
-      const pullPolicy = getDockerIsolationPullPolicy({ env });
       const mounts = getDockerIsolationAuthMounts({ tool: options.tool, env, homeDir: options.homeDir || os.homedir(), existsSync: options.existsSync || fs.existsSync });
+      console.log('[VERBOSE] isolation-runner: Docker isolation backend: native ($ --isolated docker)');
       console.log(`[VERBOSE] isolation-runner: Docker isolation image: ${image}`);
-      console.log(`[VERBOSE] isolation-runner: Docker isolation pull policy: ${pullPolicy || '(docker default: missing — reuse local image if present)'}`);
+      console.log(`[VERBOSE] isolation-runner: Docker isolation privileged: ${shouldRunPrivilegedDockerIsolation(image, env)}`);
+      console.log('[VERBOSE] isolation-runner: Docker isolation pull: reuse local image if present, pull only if missing (start-command default)');
       console.log(`[VERBOSE] isolation-runner: Docker isolation mounts: ${mounts.map(m => m.target).join(', ') || '(none)'}`);
     }
   }
@@ -553,12 +565,126 @@ export async function checkScreenSessionRunning(sessionName, verbose = false) {
   }
 }
 
+/**
+ * Check whether the Docker container backing a native `$ --isolated docker`
+ * session is still running.
+ *
+ * start-command names the container after the `--session` value, so the
+ * (possibly nested) Docker daemon can be queried directly. This is the
+ * native-Docker analogue of the `screen -ls` fallback: it is consulted only
+ * when `$ --status` has no usable record. The bot runs inside a Docker-in-
+ * Docker container, so `docker` here talks to the same nested daemon that
+ * start-command launched the task container on. See issue #1914.
+ *
+ * @param {string} containerName - Container name (the session UUID)
+ * @param {boolean} [verbose] - Enable verbose logging
+ * @returns {Promise<boolean>} True if the container exists and is running
+ */
+export async function checkDockerContainerRunning(containerName, verbose = false) {
+  try {
+    const result = await $({ mirror: false })`docker inspect -f ${'{{.State.Running}}'} ${containerName}`;
+    const running = (result.stdout?.toString() || '').trim() === 'true';
+    if (verbose) {
+      console.log(`[VERBOSE] isolation-runner: docker inspect for '${containerName}': ${running ? 'running' : 'not running'}`);
+    }
+    return running;
+  } catch {
+    // `docker inspect` exits non-zero when no such container exists.
+    return false;
+  }
+}
+
+/**
+ * Check whether an image is present in the local Docker daemon.
+ *
+ * Inside a Docker-in-Docker container "local" is the NESTED daemon. `docker
+ * image inspect` exits 0 only when the image exists, so a non-zero exit (or a
+ * missing docker binary) is treated as absent. Used by the startup preflight to
+ * predict whether the first isolated task will trigger a full image pull.
+ * See issue #1914.
+ *
+ * @param {string} image - Image reference (repo:tag)
+ * @param {boolean} [verbose] - Enable verbose logging
+ * @returns {Promise<boolean>} True if the image is present locally
+ */
+export async function checkDockerImagePresent(image, verbose = false) {
+  try {
+    await $({ mirror: false })`docker image inspect ${image}`;
+    if (verbose) console.log(`[VERBOSE] isolation-runner: docker image inspect '${image}': present`);
+    return true;
+  } catch {
+    if (verbose) console.log(`[VERBOSE] isolation-runner: docker image inspect '${image}': absent`);
+    return false;
+  }
+}
+
+/**
+ * Startup preflight for `--isolation docker`.
+ *
+ * The bot usually runs inside a Docker-in-Docker container whose NESTED daemon
+ * starts with an empty image store. If the isolation image is not already in
+ * that nested daemon, the first isolated task makes `docker run` pull a fresh
+ * copy — which for the Hive Mind images is multiple gigabytes (issues #1914,
+ * #1879). box can seed the nested daemon automatically (host-image passthrough)
+ * but only when the host Docker socket is bind-mounted into the container; if it
+ * is not mounted, passthrough is a SILENT no-op and the re-download is the first
+ * symptom an operator sees.
+ *
+ * This preflight makes that condition observable at startup instead: it reports
+ * whether the image is already present (reuse, no pull) and, when it is absent,
+ * warns loudly with the exact remediation (mount the host socket / set the
+ * passthrough allowlist, or run the preload script). It never throws and never
+ * blocks startup — a misconfigured passthrough should degrade to a slow first
+ * task, not a dead bot.
+ *
+ * @param {Object} [options]
+ * @param {Object} [options.env] - Environment (defaults to process.env)
+ * @param {Function} [options.existsSync] - fs.existsSync (injectable for tests)
+ * @param {boolean} [options.verbose] - Enable verbose logging
+ * @param {Object} [options.logger] - Logger with .log/.warn (defaults to console)
+ * @param {Function} [options.checkImagePresent] - Image-presence probe (injectable for tests)
+ * @returns {Promise<{image: string, sock: string, socketMounted: boolean, imagePresent: boolean, isDind: boolean, ok: boolean, warnings: string[]}>}
+ */
+export async function preflightDockerIsolation(options = {}) {
+  const { env = process.env, existsSync = fs.existsSync, verbose = false, logger = console, checkImagePresent = checkDockerImagePresent } = options;
+
+  const image = getDockerIsolationImage({ env });
+  const sock = resolveHostDockerSock({ env });
+  const isDind = shouldRunPrivilegedDockerIsolation(image, env);
+  const socketMounted = Boolean(existsSync(sock));
+  const imagePresent = Boolean(await checkImagePresent(image, verbose));
+
+  const result = { image, sock, socketMounted, imagePresent, isDind, ok: imagePresent, warnings: [] };
+  const info = typeof logger.log === 'function' ? logger.log.bind(logger) : () => {};
+  const warn = typeof logger.warn === 'function' ? logger.warn.bind(logger) : info;
+
+  if (imagePresent) {
+    info(`✅ Docker isolation image '${image}' is already present locally — isolated tasks reuse it (no multi-GB pull). See issue #1914.`);
+    return result;
+  }
+
+  // Image absent: the first isolated task will pull the full image. Explain the
+  // most likely cause and the exact fix instead of letting the operator first
+  // discover it as a surprise multi-gigabyte download mid-task.
+  const preload = `node scripts/preload-dind-isolation-image.mjs --image ${image}`;
+  if (isDind && !socketMounted) {
+    result.warnings.push(`Docker isolation image '${image}' is NOT in the nested Docker daemon and the host Docker socket is not mounted at ${sock}. ` + `box host-image passthrough cannot seed the nested daemon, so the FIRST isolated task will pull the full image (the Hive Mind images are multiple GB). ` + `Fix the deployment: add '-v /var/run/docker.sock:${sock}:ro' and '-e DIND_HOST_PASSTHROUGH_IMAGES="konard/hive-mind konard/hive-mind-dind"' to the bot container's 'docker run', or seed it now with: ${preload}`);
+  } else if (isDind && socketMounted) {
+    result.warnings.push(`Docker isolation image '${image}' is NOT in the nested Docker daemon even though the host Docker socket is mounted at ${sock}. ` + `box host-image passthrough may have skipped it (check DIND_HOST_PASSTHROUGH mode, the DIND_HOST_PASSTHROUGH_IMAGES allowlist, and that the host actually has '${image}' with a registry digest). ` + `The first isolated task will pull the full image. Seed it now with: ${preload}`);
+  } else {
+    result.warnings.push(`Docker isolation image '${image}' is not present locally; the first isolated task will pull it. ` + `If this host already has it under a different tag, pin HIVE_MIND_DOCKER_ISOLATION_IMAGE_TAG, or seed it with: ${preload}`);
+  }
+  for (const w of result.warnings) warn(`⚠️ ${w}`);
+  return result;
+}
+
 /**
  * Check if an isolated session is still running.
- * Uses `$ --status` first, with a `screen -ls` fallback for screen-backend
- * sessions to work around start-command UUID mismatch issues.
+ * Uses `$ --status` first, with a backend-specific fallback (screen -ls for
+ * screen, docker inspect for docker) to work around start-command UUID
+ * mismatch issues.
  *
- * @param {string} sessionId - UUID of the session (used for both $ --status and screen session name)
+ * @param {string} sessionId - UUID of the session (also the screen session name / docker container name)
  * @param {Object} [options] - Options
  * @param {string} [options.backend] - Isolation backend ('screen', 'tmux', 'docker')
  * @param {boolean} [options.verbose] - Enable verbose logging
@@ -579,19 +705,29 @@ export async function isSessionRunning(sessionId, options = {}) {
     }
   }
 
-  // Fallback: for screen-backed sessions, check screen -ls directly.
-  // Docker isolation is also tracked through a screen wrapper so Hive Mind can
-  // control image selection and credential mounts while preserving logs/status.
-  // Only use this when $ --status has no usable record. This works around
-  // older start-command bugs where:
-  // 1. $ --status can't find session by --session name (only by internal UUID)
-  // See: https://github.com/link-assistant/hive-mind/issues/1545
-  if ((backend === 'screen' || backend === 'docker') && shouldFallbackToScreenStatus(result)) {
-    const screenRunning = await checkScreenSessionRunning(sessionId, verbose);
-    if (screenRunning && verbose) {
-      console.log(`[VERBOSE] isolation-runner: $ --status says not running, but screen -ls confirms session '${sessionId}' is still active`);
+  // Fallback used only when `$ --status` has no usable record. This works
+  // around older start-command bugs where `$ --status` can't resolve a session
+  // by its --session name (only by an internal UUID). See issue #1545.
+  //   - screen sessions: confirm via `screen -ls`.
+  //   - docker sessions: confirm via `docker inspect` on the container that
+  //     start-command named after the session UUID. Native Docker isolation
+  //     (issue #1914) is a real container, not a screen wrapper, so the screen
+  //     check no longer applies to it.
+  if (shouldFallbackToScreenStatus(result)) {
+    if (backend === 'screen') {
+      const screenRunning = await checkScreenSessionRunning(sessionId, verbose);
+      if (screenRunning && verbose) {
+        console.log(`[VERBOSE] isolation-runner: $ --status says not running, but screen -ls confirms session '${sessionId}' is still active`);
+      }
+      return screenRunning;
+    }
+    if (backend === 'docker') {
+      const containerRunning = await checkDockerContainerRunning(sessionId, verbose);
+      if (containerRunning && verbose) {
+        console.log(`[VERBOSE] isolation-runner: $ --status says not running, but docker inspect confirms container '${sessionId}' is still active`);
+      }
+      return containerRunning;
     }
-    return screenRunning;
   }
 
   return false;

package/src/solve.auto-continue.lib.mjs

@@ -248,6 +248,65 @@ export const autoContinueWhenLimitResets = async (issueUrl, sessionId, argv, sho
   }
 };
 
+/**
+ * Collect candidate PRs for an issue from two complementary sources, deduped by
+ * PR number.
+ *
+ * Issue #1895: a pull request that targets a NON-default base branch (for
+ * example a stacked sub-issue branch like `issue-47-...`, or any PR created with
+ * `--base-branch <not-main>`) never appears in GitHub's `linked:issue` search,
+ * because GitHub only registers closing references for PRs merged into the
+ * repository's default branch. Relying on the `linked:issue` search alone makes
+ * `--auto-continue` blind to those PRs and silently create a duplicate. We
+ * therefore ALSO search by the deterministic `issue-{N}-{hash}` head-branch
+ * name, which is a reliable signal regardless of which base branch the PR
+ * targets. Source 1 (the legacy `linked:issue` search) is preserved so previous
+ * linking behavior is unchanged; source 2 only ever adds PRs that source 1
+ * would have missed.
+ *
+ * The two result sets are merged and deduped by PR number; callers still apply
+ * `matchesIssuePattern` to reject any unrelated branch the search may surface.
+ *
+ * @param {Object} options
+ * @param {Function} options.$ - command-stream `$` exec helper (injected for testability)
+ * @param {string} options.owner
+ * @param {string} options.repo
+ * @param {string|number} options.issueNumber
+ * @returns {Promise<Array<{number:number, createdAt?:string, headRefName?:string, isDraft?:boolean, state?:string}>>}
+ */
+export const collectIssuePrCandidates = async ({ $: dollar = $, owner, repo, issueNumber }) => {
+  const candidates = new Map();
+  const collect = result => {
+    if (!result || result.code !== 0) {
+      return;
+    }
+    let parsed;
+    try {
+      parsed = JSON.parse(result.stdout.toString().trim() || '[]');
+    } catch {
+      parsed = [];
+    }
+    for (const pr of parsed) {
+      if (pr && pr.number !== undefined && pr.number !== null) {
+        // Keep the first occurrence; the linked search runs first and both
+        // sources return the same shape, so dedup order is irrelevant.
+        if (!candidates.has(pr.number)) {
+          candidates.set(pr.number, pr);
+        }
+      }
+    }
+  };
+
+  // Source 1 (legacy behavior, preserved): PRs GitHub reports as linked.
+  collect(await dollar`gh pr list --repo ${owner}/${repo} --search "linked:issue-${issueNumber}" --json number,createdAt,headRefName,isDraft,state --limit 10`);
+
+  // Source 2 (issue #1895): PRs whose head branch matches this issue's naming
+  // convention — reliably surfaces PRs targeting a non-default base branch.
+  collect(await dollar`gh pr list --repo ${owner}/${repo} --search "head:${getIssueBranchPrefix(issueNumber)}" --json number,createdAt,headRefName,isDraft,state --limit 20`);
+
+  return [...candidates.values()];
+};
+
 // Auto-continue logic: check for existing PRs if --auto-continue is enabled
 export const checkExistingPRsForAutoContinue = async (argv, isIssueUrl, owner, repo, urlNumber) => {
   let isContinueMode = false;
@@ -260,14 +319,14 @@ export const checkExistingPRsForAutoContinue = async (argv, isIssueUrl, owner, r
     await log(`🔍 Auto-continue enabled: Checking for existing PRs for issue #${issueNumber}...`);
 
     try {
-      // Get all PRs linked to this issue
-      const prListResult = await $`gh pr list --repo ${owner}/${repo} --search "linked:issue-${issueNumber}" --json number,createdAt,headRefName,isDraft,state --limit 10`;
-
-      if (prListResult.code === 0) {
-        const prs = JSON.parse(prListResult.stdout.toString().trim() || '[]');
+      // Get all candidate PRs for this issue. Issue #1895: this includes PRs
+      // targeting a non-default base branch (found by head-branch name), which
+      // GitHub's `linked:issue` search omits.
+      const prs = await collectIssuePrCandidates({ $, owner, repo, issueNumber });
 
+      {
         if (prs.length > 0) {
-          await log(`📋 Found ${prs.length} existing PR(s) linked to issue #${issueNumber}`);
+          await log(`📋 Found ${prs.length} existing PR(s) for issue #${issueNumber}`);
 
           // Find PRs that are older than 24 hours
           const now = new Date();
@@ -535,14 +594,15 @@ export const processAutoContinueForIssue = async (argv, isIssueUrl, urlNumber, o
   }
 
   try {
-    // Get all PRs linked to this issue
-    const prListResult = await $`gh pr list --repo ${owner}/${repo} --search "linked:issue-${issueNumber}" --json number,createdAt,headRefName,isDraft,state --limit 10`;
-
-    if (prListResult.code === 0) {
-      const prs = JSON.parse(prListResult.stdout.toString().trim() || '[]');
+    // Get all candidate PRs for this issue. Issue #1895: this includes PRs
+    // targeting a non-default base branch (found by head-branch name), which
+    // GitHub's `linked:issue` search omits — critical so --auto-continue
+    // detects and resumes the existing PR instead of creating a duplicate.
+    const prs = await collectIssuePrCandidates({ $, owner, repo, issueNumber });
 
+    {
       if (prs.length > 0) {
-        await log(`📋 Found ${prs.length} existing PR(s) linked to issue #${issueNumber}`);
+        await log(`📋 Found ${prs.length} existing PR(s) for issue #${issueNumber}`);
 
         // Find PRs that are older than 24 hours
         const now = new Date();

package/src/solve.auto-merge.lib.mjs

@@ -77,6 +77,10 @@ const { maybeAttachWorkingSessionSummary, ensurePullRequestIssueLink } = results
 const { interruptibleSleep } = await import('./interruptible-sleep.lib.mjs');
 const { formatAutoIterationLimit, hasReachedAutoIterationLimit, normalizeAutoIterationLimit, shouldSyncBeforeRestart } = await import('./auto-iteration-limits.lib.mjs');
 
+// Issue #1895: explicitly close linked issues after merging a PR into a
+// non-default branch, where GitHub does not auto-close them.
+const { ensureLinkedIssueClosedAfterMerge } = await import('./github-issue-auto-close.lib.mjs');
+
 const shouldDeleteBranchAfterMerge = argv => argv.autoDeleteBranchOnMerge || argv.deleteBranchAfterMerge || false;
 
 /**
@@ -309,6 +313,22 @@ export const watchUntilMergeable = async params => {
               // Don't fail if comment posting fails
             }
 
+            // Issue #1895: when the PR targeted a non-default branch GitHub does
+            // not auto-close the linked issue. Close it explicitly so the issue
+            // is not left open after its PR merges.
+            if (issueNumber) {
+              try {
+                const closeResult = await ensureLinkedIssueClosedAfterMerge({ $, log, owner, repo, prNumber, issueNumber, verbose: argv.verbose });
+                if (closeResult.skipped && argv.verbose) {
+                  await log(formatAligned('', 'Issue auto-close:', `skipped (${closeResult.reason})`, 2), { verbose: true });
+                } else if (!closeResult.closed && !closeResult.skipped) {
+                  await log(formatAligned('⚠️', 'Issue auto-close:', `could not close issue #${issueNumber} (${closeResult.reason})`, 2), { level: 'warning' });
+                }
+              } catch (closeError) {
+                await log(formatAligned('⚠️', 'Issue auto-close:', `error closing issue #${issueNumber}: ${closeError.message}`, 2), { level: 'warning' });
+              }
+            }
+
             return { success: true, reason: 'auto-merged', latestSessionId, latestAnthropicCost };
           } else {
             await log(formatAligned('⚠️', 'Auto-merge failed:', mergeResult.error || 'Unknown error', 2));
@@ -1171,7 +1191,7 @@ No further AI sessions will be started automatically for this run. Please review
  * This implements the --auto-merge functionality for one-shot merge attempts
  */
 export const attemptAutoMerge = async params => {
-  const { owner, repo, prNumber, argv } = params;
+  const { owner, repo, prNumber, issueNumber = null, argv } = params;
 
   await log('');
   await log(formatAligned('🔀', 'AUTO-MERGE:', 'Checking if PR can be merged...'));
@@ -1234,6 +1254,16 @@ export const attemptAutoMerge = async params => {
       // Don't fail if comment posting fails
     }
 
+    // Issue #1895: close linked issue explicitly when GitHub will not (non-default base branch).
+    try {
+      const closeResult = await ensureLinkedIssueClosedAfterMerge({ $, log, owner, repo, prNumber, issueNumber, verbose: argv.verbose });
+      if (!closeResult.closed && !closeResult.skipped) {
+        await log(formatAligned('⚠️', 'Issue auto-close:', `could not close linked issue (${closeResult.reason})`, 2), { level: 'warning' });
+      }
+    } catch (closeError) {
+      await log(formatAligned('⚠️', 'Issue auto-close:', `error: ${closeError.message}`, 2), { level: 'warning' });
+    }
+
     return { success: true, reason: 'merged' };
   } else {
     await log(formatAligned('⚠️', 'Merge failed:', mergeResult.error || 'Unknown error', 2));

package/src/solve.auto-pr.lib.mjs

@@ -4,6 +4,7 @@
  */
 
 import { closingIssueNumbersContain, parseClosingIssueNumbers } from './pr-issue-linking.lib.mjs';
+import { classifyIssueLinkStatus, buildNonDefaultBranchExplanation } from './github-issue-auto-close.lib.mjs'; // Issue #1895: explain non-default-base-branch linking failures instead of the misleading "add Fixes #N" advice.
 import { handleRejectedPushForAutoPr, synchronizeExistingIssueBranchBeforeAutoPrCreation } from './solve.branch-divergence.lib.mjs';
 import { emitForkAwareDiagnostic } from './solve.auto-pr-fork-diagnostic.lib.mjs';
 import { handleCompareApiNotReady } from './solve.auto-pr-compare-readiness.lib.mjs'; // Issue #1829: decides whether a failed compare-API readiness poll is fatal (fork mismatch / 0 commits) or a transient diff-render failure to degrade past.
@@ -1171,31 +1172,58 @@ ${prBody}`,
                   if (closingIssueNumbersContain(linkedIssues, issueNumber)) {
                     await log(formatAligned('✅', 'Link verified:', `Issue #${issueNumber} → PR #${localPrNumber}`));
                   } else {
-                    // This is a problem - the link wasn't created
-                    await log('');
-                    await log(formatAligned('⚠️', 'ISSUE LINK MISSING:', 'PR not linked to issue'), {
-                      level: 'warning',
+                    // The link wasn't registered by GitHub. Issue #1895: this is
+                    // expected (not a body problem) when the PR targets a
+                    // non-default branch, because GitHub only registers closing
+                    // references for PRs into the default branch. Diagnose the
+                    // real root cause instead of telling the user to add a
+                    // "Fixes #N" line that is already present.
+                    const targetBranch = argv.baseBranch || defaultBranch;
+                    const linkStatus = classifyIssueLinkStatus({
+                      prBody,
+                      issueNumber,
+                      owner,
+                      repo,
+                      baseBranch: targetBranch,
+                      defaultBranch,
+                      githubLinked: false,
                     });
-                    await log('');
 
-                    if (argv.fork) {
-                      await log("   The PR was created from a fork but wasn't linked to the issue.", {
-                        level: 'warning',
-                      });
-                      await log(`   Expected: "Fixes ${owner}/${repo}#${issueNumber}" in PR body`, {
-                        level: 'warning',
-                      });
+                    await log('');
+                    if (linkStatus.reason === 'non-default-base-branch') {
+                      // Keyword present + non-default base: GitHub will not
+                      // auto-close. This is handled later by the explicit
+                      // post-merge close fallback, so surface it as info.
+                      await log(formatAligned('ℹ️', 'ISSUE LINK DEFERRED:', `PR targets non-default branch '${targetBranch}'`));
                       await log('');
-                      await log('   To fix manually:', { level: 'warning' });
-                      await log(`   1. Edit the PR description at: ${prUrl}`, { level: 'warning' });
-                      await log(`   2. Add this line: Fixes ${owner}/${repo}#${issueNumber}`, { level: 'warning' });
+                      for (const line of buildNonDefaultBranchExplanation({ issueNumber, baseBranch: targetBranch, defaultBranch, issueRef })) {
+                        await log(`   ${line}`);
+                      }
                     } else {
-                      await log(`   The PR wasn't linked to issue #${issueNumber}`, { level: 'warning' });
-                      await log(`   Expected: "Fixes #${issueNumber}" in PR body`, { level: 'warning' });
+                      await log(formatAligned('⚠️', 'ISSUE LINK MISSING:', 'PR not linked to issue'), {
+                        level: 'warning',
+                      });
                       await log('');
-                      await log('   To fix manually:', { level: 'warning' });
-                      await log(`   1. Edit the PR description at: ${prUrl}`, { level: 'warning' });
-                      await log(`   2. Ensure it contains: Fixes #${issueNumber}`, { level: 'warning' });
+
+                      if (argv.fork) {
+                        await log("   The PR was created from a fork but wasn't linked to the issue.", {
+                          level: 'warning',
+                        });
+                        await log(`   Expected: "Fixes ${owner}/${repo}#${issueNumber}" in PR body`, {
+                          level: 'warning',
+                        });
+                        await log('');
+                        await log('   To fix manually:', { level: 'warning' });
+                        await log(`   1. Edit the PR description at: ${prUrl}`, { level: 'warning' });
+                        await log(`   2. Add this line: Fixes ${owner}/${repo}#${issueNumber}`, { level: 'warning' });
+                      } else {
+                        await log(`   The PR wasn't linked to issue #${issueNumber}`, { level: 'warning' });
+                        await log(`   Expected: "Fixes #${issueNumber}" in PR body`, { level: 'warning' });
+                        await log('');
+                        await log('   To fix manually:', { level: 'warning' });
+                        await log(`   1. Edit the PR description at: ${prUrl}`, { level: 'warning' });
+                        await log(`   2. Ensure it contains: Fixes #${issueNumber}`, { level: 'warning' });
+                      }
                     }
                     await log('');
                   }

package/src/telegram-bot.mjs

@@ -180,6 +180,16 @@ if (ISOLATION_BACKEND) {
   }
   console.log(`🔒 Isolation mode enabled: ${ISOLATION_BACKEND} (experimental)`);
   isolationRunner = await import('./isolation-runner.lib.mjs');
+  // For docker isolation, run a startup preflight so a missing/un-passed-through
+  // image surfaces as a loud, actionable warning instead of a surprise multi-GB
+  // pull on the first isolated task (issues #1914, #1879). Never throws.
+  if (ISOLATION_BACKEND === 'docker' && typeof isolationRunner.preflightDockerIsolation === 'function') {
+    try {
+      await isolationRunner.preflightDockerIsolation({ verbose: VERBOSE });
+    } catch (preflightError) {
+      console.error(`⚠️ Docker isolation preflight failed (continuing): ${preflightError?.message || preflightError}`);
+    }
+  }
 }
 
 // Validate solve overrides early using solve's yargs config

package/src/telegram-merge-queue.lib.mjs

@@ -16,7 +16,7 @@
  * @see https://github.com/link-assistant/hive-mind/issues/1143
  */
 
-import { getAllReadyPRs, checkPRCIStatus, checkPRMergeable, mergePullRequest, waitForCI, ensureReadyLabel, waitForBranchCI, getDefaultBranch, waitForCommitCI, checkBranchCIHealth, getMergeCommitSha, getPRStatus, syncReadyTags } from './github-merge.lib.mjs';
+import { getAllReadyPRs, checkPRCIStatus, checkPRMergeable, mergePullRequest, waitForCI, ensureReadyLabel, waitForBranchCI, getDefaultBranch, waitForCommitCI, checkBranchCIHealth, getMergeCommitSha, getPRStatus, syncReadyTags, closeLinkedIssueIfNotAutoClosed } from './github-merge.lib.mjs';
 import { mergeQueue as mergeQueueConfig } from './config.lib.mjs';
 import { getProgressBar } from './limits.lib.mjs';
 
@@ -512,6 +512,17 @@ export class MergeQueueProcessor {
       this.stats.merged++;
       this.log(`Successfully merged PR #${item.pr.number}`);
 
+      // Issue #1895: GitHub does not auto-close linked issues for PRs merged into
+      // a non-default branch. Close the linked issue explicitly in that case.
+      try {
+        const closeResult = await closeLinkedIssueIfNotAutoClosed(this.owner, this.repo, item.pr.number, this.verbose);
+        if (closeResult.closed) {
+          this.log(`Closed linked issue #${closeResult.issueNumber} for PR #${item.pr.number} (merged into non-default branch)`);
+        }
+      } catch (closeError) {
+        this.log(`Could not close linked issue for PR #${item.pr.number}: ${closeError.message}`);
+      }
+
       // Issue #1341: Get the merge commit SHA for post-merge CI tracking
       // Need a small delay to allow GitHub to update the PR state
       await this.sleep(5000);