@link-assistant/hive-mind 1.78.9 → 1.78.11

package/CHANGELOG.md

@@ -1,5 +1,101 @@
 # @link-assistant/hive-mind
 
+## 1.78.11
+
+### Patch Changes
+
+- 24fb17e: fix(retry): auto-resume on server-side 429 "Server is temporarily limiting requests" rate-limit errors (#1924)
+
+  A long-running solve session (177 turns, ~72 min) was thrown away when the Claude
+  CLI surfaced a **server-side temporary rate limit**:
+
+  ```
+  API Error: Server is temporarily limiting requests (not your usage limit) · Rate limited
+  ```
+
+  The CLI reports this as a `result` event with `is_error: true` and
+  `api_error_status: 429`, and the HTTP response carries `x-should-retry: true`.
+  This is a transient throttle that clears on its own — distinct from an account
+  usage/quota limit (the message literally says "not your usage limit", and there
+  is no reset time to wait for).
+
+  Root cause: the error matched neither `classifyRetryableError` (no pattern for
+  the 429 throttle wording) nor `isUsageLimitError` (correctly, since it is not a
+  quota limit), so it fell through to a hard failure with exit code 1 and **no
+  auto-resume**, unlike every other transient class (overload 500/529, 503,
+  internal server error, request timeout, socket drops).
+
+  Fix: `classifyRetryableError` (in `src/tool-retry.lib.mjs`, the shared classifier
+  used by every tool wrapper — claude, codex, gemini, opencode, qwen, agent) now
+  recognises this throttle and marks it retryable (`isCapacity: false`, so no model
+  switch), so it retries with the session preserved (`--resume`) after a backoff.
+  `src/claude.lib.mjs` additionally detects the structured `api_error_status === 429`
+  directly (robust to wording changes) and logs a verbose diagnostic with the
+  `request_id`. The matcher is narrow so genuine account usage limits stay on the
+  usage-limit reset-time path.
+
+  Added `tests/test-issue-1924-rate-limit-retry.mjs` (18 assertions) and a full
+  case study with timeline, root-cause analysis, upstream references
+  (anthropics/claude-code#53915, #53922), and the captured logs under
+  `docs/case-studies/issue-1924`.
+
+## 1.78.10
+
+### Patch Changes
+
+- 02faadb: fix(auto-merge): stop `/merge` from hanging forever on fork PRs with external-only `success` checks (#1918)
+
+  The `/merge` auto-merge watch loop could spin on the same commit indefinitely
+  (observed 73 minutes, 72 identical iterations, before a human killed it). It
+  happened on a **fork pull request** whose only repo workflows trigger on `push`
+  (which never fires for fork commits in the base repo) while an external app
+  (CodeRabbit) reported CI status `success` with **0 workflow runs** for the head
+  SHA.
+
+  Root cause: the watch loop reset its consecutive "no workflow runs" safety-valve
+  counter (`consecutiveNoRunsChecks`) on every iteration whenever
+  `ciStatus.status !== 'no_checks'`. Because external-only checks make the status
+  `'success'`, the counter was pinned at `1` and never reached
+  `MAX_NO_RUNS_CHECKS`, so the valve that should have ended the wait never fired —
+  the loop logged `check 1/5` forever.
+
+  Fix: `getMergeBlockers()` now returns a `noWorkflowRunsForCommit` flag that is
+  true while it is still waiting for PR-triggered workflow runs to register, and a
+  new pure helper `shouldResetNoRunsCounter(ciStatus, noWorkflowRunsForCommit)`
+  only resets the counter when CI is **not** in that waiting state. The counter
+  now climbs `1 → 2 → … → 5`, trips the safety valve in a few minutes, and `/merge`
+  proceeds. The #1503 behaviors (reset on new push / on genuine CI runs) are
+  preserved and regression-guarded.
+
+  Added `tests/test-merge-stuck-no-workflow-runs-1918.mjs` and a full case study
+  with timeline, root-cause analysis, and the captured logs under
+  `docs/case-studies/issue-1918`.
+
+- 9e00f14: fix(telegram): never re-execute a forwarded command (`/task`, `/stop`, `/tokens`, `/log`, `/terminal_watch`) (#1922)
+
+  Forwarding a message that starts with a bot command (for example the bot's own
+  `/task <url>` reply, or any `/task https://github.com/owner/repo`) caused the
+  Telegram bot to execute the command again — creating a brand-new GitHub issue or
+  spawning a session the user never intended. `/task` and `/split` only checked
+  `isOldMessage` and never rejected forwarded messages, unlike `/help`, `/solve`,
+  `/hive`, `/merge`, etc.
+
+  Root cause: the existing `isForwardedOrReply` filter rejects _both_ forwards and
+  replies, so commands that use the reply feature (`/task` issue creation, `/solve`
+  URL extraction, targeted `/stop`) could not use it without breaking replies — and
+  were therefore left without any forwarded check at all.
+
+  Fix: a new dedicated `isForwarded(ctx)` filter detects _only_ forwarded messages
+  (new `forward_origin` API + legacy `forward_*` fields) and intentionally ignores
+  replies. It is now applied to every command that previously lacked a forwarded
+  guard — `/task`, `/split`, `/stop` (including targeted `/stop <uuid>`), `/tokens`,
+  `/log`, `/terminal_watch`/`/watch` — and `/solve` was refactored to reuse it
+  instead of its ad-hoc inline check. Genuine user replies keep working.
+
+  Added unit tests for `isForwarded` and for forwarded `/task`/`/split` rejection,
+  plus a full case study with timeline and per-command audit under
+  `docs/case-studies/issue-1922`.
+
 ## 1.78.9
 
 ### Patch Changes

package/README.hi.md

@@ -45,7 +45,7 @@ Hive Mind एक **सामान्यवादी AI** (मिनी-AGI) ह
 
 Hive Mind में औसत प्रोग्रामर से अलग न पहचानी जा सकने वाली उच्च रचनात्मकता है। यदि आवश्यकताएँ अस्पष्ट हों तो यह प्रश्न पूछता है, और आप PR टिप्पणियों के माध्यम से चलते-चलते स्पष्ट कर सकते हैं।
 
-विस्तृत विशेषताओं और तुलनाओं के लिए, [docs/FEATURES.hi.md](./docs/FEATURES.hi.md) और [docs/COMPARISON.hi.md](./docs/COMPARISON.hi.md) देखें।
+प्रोजेक्ट के दृष्टिकोण और उदाहरण उपयोगकर्ता यात्राओं के लिए, [docs/VISION.hi.md](./docs/VISION.hi.md) देखें। विस्तृत विशेषताओं और तुलनाओं के लिए, [docs/FEATURES.hi.md](./docs/FEATURES.hi.md) और [docs/COMPARISON.hi.md](./docs/COMPARISON.hi.md) देखें।
 
 ## ⚠️ चेतावनी
 

package/README.md

@@ -45,7 +45,7 @@ Both tools can be combined in the same hive. Workers can run different tools in
 
 Hive Mind has high creativity indistinguishable from average programmers. It asks questions if requirements are unclear, and you can clarify on the go via PR comments.
 
-For detailed features and comparisons, see [docs/FEATURES.md](./docs/FEATURES.md) and [docs/COMPARISON.md](./docs/COMPARISON.md).
+For the project's vision and example user journeys, see [docs/VISION.md](./docs/VISION.md). For detailed features and comparisons, see [docs/FEATURES.md](./docs/FEATURES.md) and [docs/COMPARISON.md](./docs/COMPARISON.md).
 
 ## ⚠️ WARNING
 

package/README.ru.md

@@ -45,7 +45,7 @@ Hive Mind — это **универсальный ИИ** (мини-AGI), спо
 
 Hive Mind обладает высоким уровнем творчества, неотличимым от среднего программиста. Он задаёт вопросы, если требования неясны, и вы можете уточнять их на ходу через комментарии к PR.
 
-Подробные возможности и сравнения см. в [docs/FEATURES.ru.md](./docs/FEATURES.ru.md) и [docs/COMPARISON.ru.md](./docs/COMPARISON.ru.md).
+Видение проекта и примеры пользовательских сценариев см. в [docs/VISION.ru.md](./docs/VISION.ru.md). Подробные возможности и сравнения см. в [docs/FEATURES.ru.md](./docs/FEATURES.ru.md) и [docs/COMPARISON.ru.md](./docs/COMPARISON.ru.md).
 
 ## ⚠️ ПРЕДУПРЕЖДЕНИЕ
 

package/README.zh.md

@@ -45,7 +45,7 @@ Hive Mind 是一款**通用 AI**（迷你 AGI），能够处理广泛的任务
 
 Hive Mind 具备与普通程序员无异的高度创造力。当需求不明确时，它会主动提问，您也可以随时通过 PR 评论进行说明补充。
 
-详细功能和对比信息，请参见 [docs/FEATURES.zh.md](./docs/FEATURES.zh.md) 和 [docs/COMPARISON.zh.md](./docs/COMPARISON.zh.md)。
+关于项目的愿景和示例用户旅程，请参见 [docs/VISION.zh.md](./docs/VISION.zh.md)。详细功能和对比信息，请参见 [docs/FEATURES.zh.md](./docs/FEATURES.zh.md) 和 [docs/COMPARISON.zh.md](./docs/COMPARISON.zh.md)。
 
 ## ⚠️ 警告
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-assistant/hive-mind",
-  "version": "1.78.9",
+  "version": "1.78.11",
   "description": "AI-powered issue solver and hive mind for collaborative problem solving",
   "main": "src/hive.mjs",
   "type": "module",

package/src/claude.lib.mjs

@@ -648,6 +648,7 @@ export const executeClaudeCommand = async params => {
     let is503Error = false;
     let isInternalServerError = false;
     let isRequestTimeout = false;
+    let isRateLimitError = false; // Issue #1924: server-side 429 temporary rate limiting
     let apiMarkedNotRetryable = false;
     let resultNumTurns = 0;
     let stderrErrors = [];
@@ -977,6 +978,14 @@ export const executeClaudeCommand = async params => {
                     isRequestTimeout = true;
                     await log('⏱️ Detected request timeout from Claude CLI (will retry with --resume)', { verbose: true });
                   }
+                  // Issue #1924: Server-side temporary rate limiting (HTTP 429) — a transient
+                  // throttle, not an account usage limit ("...not your usage limit..."), so retry
+                  // with --resume. The message text is handled by classifyRetryableError; this also
+                  // catches the structured api_error_status if the wording ever changes.
+                  if (data.api_error_status === 429) {
+                    isRateLimitError = true;
+                    await log(`⚠️ Detected server-side rate limiting (429) from Claude CLI (will retry with --resume). request_id=${data.request_id || 'unknown'}`, { verbose: true });
+                  }
                   // Issue #1834: Detect corrupted extended-thinking-block 400 (un-resumable session).
                   // Capture diagnostics (request id, content path) to aid debugging and upstream reports.
                   if ((lastMessage.includes('thinking') || lastMessage.includes('redacted_thinking')) && lastMessage.includes('cannot be modified')) {
@@ -1174,7 +1183,7 @@ export const executeClaudeCommand = async params => {
         return await executeWithRetry();
       }
       // Issues #1331, #1353, #1472/#1475: Unified transient error retry (exponential backoff, session preservation)
-      const isTransientError = isStartupTimeout || isActivityTimeout || isOverloadError || isInternalServerError || is503Error || isRequestTimeout || retryableLastError.isRetryable || (lastMessage.includes('API Error: 500') && (lastMessage.includes('Overloaded') || lastMessage.includes('Internal server error'))) || (lastMessage.includes('API Error: 529') && (lastMessage.includes('overloaded_error') || lastMessage.includes('Overloaded'))) || (lastMessage.includes('api_error') && lastMessage.includes('Overloaded')) || (lastMessage.includes('overloaded_error') && lastMessage.includes('Overloaded')) || lastMessage.includes('API Error: 503') || (lastMessage.includes('503') && (lastMessage.includes('upstream connect error') || lastMessage.includes('remote connection failure'))) || lastMessage === 'Request timed out' || lastMessage.includes('Request timed out');
+      const isTransientError = isStartupTimeout || isActivityTimeout || isOverloadError || isInternalServerError || is503Error || isRequestTimeout || isRateLimitError || retryableLastError.isRetryable || (lastMessage.includes('API Error: 500') && (lastMessage.includes('Overloaded') || lastMessage.includes('Internal server error'))) || (lastMessage.includes('API Error: 529') && (lastMessage.includes('overloaded_error') || lastMessage.includes('Overloaded'))) || (lastMessage.includes('api_error') && lastMessage.includes('Overloaded')) || (lastMessage.includes('overloaded_error') && lastMessage.includes('Overloaded')) || lastMessage.includes('API Error: 503') || (lastMessage.includes('503') && (lastMessage.includes('upstream connect error') || lastMessage.includes('remote connection failure'))) || lastMessage === 'Request timed out' || lastMessage.includes('Request timed out');
       if ((commandFailed || isTransientError) && isTransientError) {
         // Issue #1472/#1475: Startup/activity timeout → 30s–2min backoff; #1353: Request timeout → 5min–1hr; general → 2min–30min
         const isTimeoutRetry = isStartupTimeout || isActivityTimeout;
@@ -1208,7 +1217,7 @@ export const executeClaudeCommand = async params => {
         }
         if (retryCount < maxRetries) {
           const delay = Math.min(initialDelay * Math.pow(retryLimits.retryBackoffMultiplier, retryCount), maxDelay);
-          const errorLabel = isStartupTimeout ? 'Stream startup timeout (Issue #1472/#1475)' : isActivityTimeout ? 'Stream activity timeout (Issue #1472)' : isRequestTimeout ? 'Request timeout' : retryableLastError.label || (isOverloadError || (lastMessage.includes('API Error: 500') && lastMessage.includes('Overloaded')) || (lastMessage.includes('API Error: 529') && lastMessage.includes('Overloaded')) ? `API overload (${lastMessage.includes('529') ? '529' : '500'})` : isInternalServerError || lastMessage.includes('Internal server error') ? 'Internal server error (500)' : '503 network error');
+          const errorLabel = isStartupTimeout ? 'Stream startup timeout (Issue #1472/#1475)' : isActivityTimeout ? 'Stream activity timeout (Issue #1472)' : isRequestTimeout ? 'Request timeout' : retryableLastError.label || (isOverloadError || (lastMessage.includes('API Error: 500') && lastMessage.includes('Overloaded')) || (lastMessage.includes('API Error: 529') && lastMessage.includes('Overloaded')) ? `API overload (${lastMessage.includes('529') ? '529' : '500'})` : isInternalServerError || lastMessage.includes('Internal server error') ? 'Internal server error (500)' : isRateLimitError ? 'Server rate limited (429)' : '503 network error');
           const notRetryableHint = apiMarkedNotRetryable ? ' (API says not retryable — will stop early if no progress)' : '';
           const delayLabel = delay >= 60000 ? `${Math.round(delay / 60000)} min` : `${Math.round(delay / 1000)}s`;
           const retryMode = isStartupTimeout ? ' (fresh start)' : ' (session preserved)';

package/src/solve.auto-merge-helpers.lib.mjs

@@ -421,9 +421,53 @@ export const trackAuthenticatedUserCommentsSince = async (owner, repo, prNumber,
  * - billing_limit: Billing/spending limit reached → stop (private) or wait (public)
  * - no_checks: No CI checks yet (race condition) → wait
  */
+/**
+ * Issue #1918: Decide whether the consecutive "no workflow runs" counter should be
+ * reset after a getMergeBlockers() result.
+ *
+ * The counter (`consecutiveNoRunsChecks` in the watch loop) is a safety valve: after
+ * MAX_NO_RUNS_CHECKS consecutive checks where a repo's PR-triggered workflows produced
+ * 0 workflow runs, /merge stops waiting and trusts the available signal (external
+ * checks / mergeability). For that valve to ever fire, the counter must keep
+ * incrementing across watch-loop iterations for the same commit.
+ *
+ * The previous logic reset the counter whenever `ciStatus.status !== 'no_checks'`.
+ * That is wrong when `status === 'success'` comes from EXTERNAL checks only (e.g.
+ * CodeRabbit) while the repo's own PR-triggered workflows have 0 runs — for example a
+ * fork PR whose only workflow triggers on `push`, which never fires for fork commits in
+ * the base repo. In that case getMergeBlockers keeps emitting the "no workflow runs"
+ * wait, but the caller reset the counter to 0 every iteration, pinning it at "check
+ * 1/5" forever — an infinite watch loop that hung for over an hour (Issue #1918).
+ *
+ * Fix: keep the counter whenever getMergeBlockers signals it is still inside the
+ * no-workflow-runs wait (`noWorkflowRunsForCommit === true`), regardless of ciStatus.
+ *
+ * @param {{status?: string}|null|undefined} ciStatus - Detailed CI status object.
+ * @param {boolean} [noWorkflowRunsForCommit=false] - True when getMergeBlockers is still
+ *   waiting for PR-triggered workflow runs to register for the current commit.
+ * @returns {boolean} true if `consecutiveNoRunsChecks` should be reset to 0.
+ */
+export const shouldResetNoRunsCounter = (ciStatus, noWorkflowRunsForCommit = false) => {
+  // Still inside the no-workflow-runs safety-valve wait — the counter MUST keep
+  // climbing toward MAX_NO_RUNS_CHECKS, so do not reset it.
+  if (noWorkflowRunsForCommit) {
+    return false;
+  }
+  // Genuine CI checks exist (pending/success/failure backed by workflow runs) — the
+  // "no runs" counter is irrelevant and should be reset.
+  return Boolean(ciStatus && ciStatus.status !== 'no_checks');
+};
+
 export const getMergeBlockers = async (owner, repo, prNumber, verbose = false, checkCount = 1, prBranchRef = null) => {
   const blockers = [];
 
+  // Issue #1918: Tracks whether we are still waiting for PR-triggered workflow runs to
+  // register for the current commit (0 runs observed). When true, the caller must NOT
+  // reset its consecutive-no-runs counter, otherwise the MAX_NO_RUNS_CHECKS safety valve
+  // never fires and /merge loops forever (e.g. fork PR + push-only workflow + a passing
+  // external check reporting status 'success').
+  let noWorkflowRunsForCommit = false;
+
   // Use detailed CI status to distinguish between all possible states
   const ciStatus = await getDetailedCIStatus(owner, repo, prNumber, verbose);
 
@@ -630,6 +674,8 @@ export const getMergeBlockers = async (owner, repo, prNumber, verbose = false, c
             if (verbose) {
               await log(formatAligned('⏳', 'Waiting for CI:', `No workflow runs for SHA ${ciStatus.sha.substring(0, 7)}, but workflows have PR/push triggers (${prTriggers.workflows.map(w => w.name).join(', ')}) — check ${checkCount}/${MAX_NO_RUNS_CHECKS}, commit age: ${commitInfo.ageSeconds ?? 'unknown'}s`, 2));
             }
+            // Issue #1918: Still waiting for workflow runs to register — keep the counter.
+            noWorkflowRunsForCommit = true;
             blockers.push({
               type: 'ci_pending',
               message: `CI/CD workflow runs have not appeared yet — workflows have PR/push triggers (${prTriggers.workflows.map(w => w.name).join(', ')}), waiting for GitHub to register workflow runs (check ${checkCount}/${MAX_NO_RUNS_CHECKS})`,
@@ -640,6 +686,8 @@ export const getMergeBlockers = async (owner, repo, prNumber, verbose = false, c
             if (verbose) {
               await log(`[VERBOSE] /merge: No PR/push triggers found in workflow files, but commit is only ${commitInfo.ageSeconds}s old — waiting to be safe`);
             }
+            // Issue #1918: Still inside the grace-period wait for workflow runs — keep the counter.
+            noWorkflowRunsForCommit = true;
             blockers.push({
               type: 'ci_pending',
               message: `CI/CD workflow runs have not appeared yet — commit is ${commitInfo.ageSeconds}s old, waiting for GitHub to register workflow runs (grace period: ${WORKFLOW_RUN_GRACE_PERIOD_SECONDS}s)`,
@@ -717,6 +765,9 @@ export const getMergeBlockers = async (owner, repo, prNumber, verbose = false, c
             if (verbose) {
               await log(`[VERBOSE] /merge: PR #${prNumber} CI status is 'success' (${ciStatus.passedChecks.length} external checks), but repo has PR-triggered workflows with 0 workflow runs — likely race condition (check ${checkCount}/${MAX_NO_RUNS_CHECKS})`);
             }
+            // Issue #1918: Keep the caller's no-runs counter climbing so the safety valve
+            // can fire — otherwise a 'success' from external-only checks resets it forever.
+            noWorkflowRunsForCommit = true;
             // Wait for GitHub Actions to register workflow runs
             blockers.push({
               type: 'ci_pending',
@@ -839,11 +890,12 @@ export const getMergeBlockers = async (owner, repo, prNumber, verbose = false, c
     });
   }
 
-  return { blockers, ciStatus, noCiConfigured: false, noCiTriggered: false };
+  return { blockers, ciStatus, noCiConfigured: false, noCiTriggered: false, noWorkflowRunsForCommit };
 };
 
 export default {
   checkForExistingComment,
   checkForNonBotComments,
   getMergeBlockers,
+  shouldResetNoRunsCounter,
 };

package/src/solve.auto-merge.lib.mjs

@@ -54,7 +54,7 @@ import { limitReset } from './config.lib.mjs';
 
 // Import helper functions extracted for file size management (Issue #1593)
 const autoMergeHelpers = await import('./solve.auto-merge-helpers.lib.mjs');
-const { checkForExistingComment, checkForNonBotComments, getMergeBlockers, trackAuthenticatedUserCommentsSince, nextMonotonicCheckTime } = autoMergeHelpers;
+const { checkForExistingComment, checkForNonBotComments, getMergeBlockers, shouldResetNoRunsCounter, trackAuthenticatedUserCommentsSince, nextMonotonicCheckTime } = autoMergeHelpers;
 
 // Issue #1769: cancelled/stale CI re-run failures need a human action stop, not polling forever.
 const cancelledCiRerunLib = await import('./cancelled-ci-rerun.lib.mjs');
@@ -203,10 +203,15 @@ export const watchUntilMergeable = async params => {
       consecutiveNoRunsChecks++;
 
       // Get merge blockers
-      const { blockers, noCiConfigured, noCiTriggered, workflowRunConclusions, ciStatus } = await getMergeBlockers(owner, repo, prNumber, argv.verbose, consecutiveNoRunsChecks, prBranch);
-
-      // Issue #1503: Reset counter when CI checks exist (safety valve only for consecutive "no runs")
-      if (ciStatus && ciStatus.status !== 'no_checks') {
+      const { blockers, noCiConfigured, noCiTriggered, workflowRunConclusions, ciStatus, noWorkflowRunsForCommit } = await getMergeBlockers(owner, repo, prNumber, argv.verbose, consecutiveNoRunsChecks, prBranch);
+
+      // Issue #1503/#1918: Reset counter when CI checks exist (safety valve only for
+      // consecutive "no runs"). Issue #1918: do NOT reset while getMergeBlockers is still
+      // waiting for PR-triggered workflow runs to register (noWorkflowRunsForCommit). A
+      // 'success' status from external-only checks (e.g. CodeRabbit) on a fork PR whose
+      // workflow only triggers on `push` previously reset the counter every iteration,
+      // pinning it at "check 1/5" forever and hanging /merge for over an hour.
+      if (shouldResetNoRunsCounter(ciStatus, noWorkflowRunsForCommit)) {
         // CI checks exist (pending, success, failure, etc.) — the "no runs" counter is irrelevant
         consecutiveNoRunsChecks = 0;
       } else if (noCiConfigured || noCiTriggered) {

package/src/telegram-bot.mjs

@@ -40,7 +40,7 @@ const { getSolveQueue, createQueueExecuteCallback } = await import('./telegram-s
 const { applySolveToolAlias, getFirstParsedPositionalArg, getSolveCommandNameFromText, getSolveToolAliasFromText, moveArgumentToFront, parseArgsWithYargs, parseCommandArgs, SOLVE_COMMAND_NAMES } = await import('./telegram-solve-command.lib.mjs');
 const { executeStartScreen: executeStartScreenCommand, buildExecuteAndUpdateMessage } = await import('./telegram-command-execution.lib.mjs');
 const { isChatStopped, getChatStopInfo, getStoppedChatRejectMessage, DEFAULT_STOP_REASON } = await import('./telegram-start-stop-command.lib.mjs');
-const { isOldMessage: _isOldMessage, isGroupChat: _isGroupChat, isChatAuthorized: _isChatAuthorized, isForwardedOrReply: _isForwardedOrReply, extractCommandFromText, extractGitHubUrl: _extractGitHubUrl } = await import('./telegram-message-filters.lib.mjs');
+const { isOldMessage: _isOldMessage, isGroupChat: _isGroupChat, isChatAuthorized: _isChatAuthorized, isForwarded: _isForwarded, isForwardedOrReply: _isForwardedOrReply, extractCommandFromText, extractGitHubUrl: _extractGitHubUrl } = await import('./telegram-message-filters.lib.mjs');
 const { installTelegramFormattingFallback, isTelegramFormattingError, isTelegramMessageTooLongError, safeEditMessageText, safeReply, TELEGRAM_TEXT_LIMIT } = await import('./telegram-safe-reply.lib.mjs');
 const { registerTerminalWatchCommand, startAutoTerminalWatchForSession } = await import('./telegram-terminal-watch-command.lib.mjs');
 const { launchBotWithRetry } = await import('./telegram-bot-launcher.lib.mjs');
@@ -369,6 +369,13 @@ function isForwardedOrReply(ctx) {
   return _isForwardedOrReply(ctx, { verbose: VERBOSE });
 }
 
+// Forwarded-only check (issue #1922). Commands that support the reply feature
+// (e.g. /task, /solve) must still reject forwarded commands without rejecting
+// genuine user replies, so they use this instead of isForwardedOrReply.
+function isForwarded(ctx) {
+  return _isForwarded(ctx, { verbose: VERBOSE });
+}
+
 /**
  * Validates the model name in the args array and returns an error message if invalid
  * @param {string[]} args - Array of command arguments
@@ -613,7 +620,7 @@ const { registerLanguageCommand } = await import('./telegram-language-command.li
 registerLanguageCommand(bot, { VERBOSE, isOldMessage, isForwardedOrReply });
 
 const { registerAcceptInvitesCommand } = await import('./telegram-accept-invitations.lib.mjs');
-const sharedCommandOpts = { VERBOSE, isOldMessage, isForwardedOrReply, isGroupChat: _isGroupChat, isChatAuthorized, isTopicAuthorized, buildAuthErrorMessage, addBreadcrumb, isChatStopped, getStoppedChatRejectMessage };
+const sharedCommandOpts = { VERBOSE, isOldMessage, isForwarded, isForwardedOrReply, isGroupChat: _isGroupChat, isChatAuthorized, isTopicAuthorized, buildAuthErrorMessage, addBreadcrumb, isChatStopped, getStoppedChatRejectMessage };
 registerAcceptInvitesCommand(bot, sharedCommandOpts);
 const { registerMergeCommand } = await import('./telegram-merge-command.lib.mjs');
 registerMergeCommand(bot, sharedCommandOpts);
@@ -663,12 +670,9 @@ async function handleSolveCommand(ctx) {
   }
 
   // Check if this is a forwarded message (not allowed)
-  // But allow reply messages for URL extraction feature
+  // But allow reply messages for URL extraction feature (issue #1922)
   const message = ctx.message;
-  const isForwarded = message.forward_origin && message.forward_origin.type;
-  const isOldApiForwarded = message.forward_from || message.forward_from_chat || message.forward_from_message_id || message.forward_signature || message.forward_sender_name || message.forward_date;
-
-  if (isForwarded || isOldApiForwarded) {
+  if (isForwarded(ctx)) {
     if (VERBOSE) {
       console.log(`[VERBOSE] ${solveCommandDisplay} ignored: forwarded message`);
     }

package/src/telegram-log-command.lib.mjs

@@ -154,7 +154,7 @@ async function fileSize(filePath) {
  * @param {Function} [options.parseGitHubUrl] - Override for tests
  */
 export async function registerLogCommand(bot, options) {
-  const { VERBOSE = false, isOldMessage, isChatAuthorized, isTopicAuthorized, buildAuthErrorMessage } = options;
+  const { VERBOSE = false, isOldMessage, isForwarded, isChatAuthorized, isTopicAuthorized, buildAuthErrorMessage } = options;
   const querySessionStatus = options.querySessionStatus || (await import('./isolation-runner.lib.mjs')).querySessionStatus;
   const getTrackedSessionInfo = options.getTrackedSessionInfo || (await import('./session-monitor.lib.mjs')).getTrackedSessionInfo;
   const detectRepositoryVisibility = options.detectRepositoryVisibility || (await import('./github.lib.mjs')).detectRepositoryVisibility;
@@ -167,6 +167,11 @@ export async function registerLogCommand(bot, options) {
       VERBOSE && console.log('[VERBOSE] /log ignored: old message');
       return;
     }
+    // Issue #1922: never re-execute a forwarded command.
+    if (isForwarded && isForwarded(ctx)) {
+      VERBOSE && console.log('[VERBOSE] /log ignored: forwarded message');
+      return;
+    }
 
     const chat = ctx.chat;
     const message = ctx.message;

package/src/telegram-message-filters.lib.mjs

@@ -57,31 +57,35 @@ export function isChatAuthorized(chatId, allowedChats) {
 }
 
 /**
- * Check if a message is forwarded or a reply to another user's message.
+ * Check if a message is a forwarded message.
  *
- * This function distinguishes between:
- * 1. Forwarded messages (should be ignored)
- * 2. User replies to other messages (should be ignored, except for /solve reply feature)
- * 3. Forum topic messages (should NOT be ignored - they have reply_to_message pointing
- *    to the topic's first message with forum_topic_created)
- * 4. Normal messages (should NOT be ignored)
+ * Unlike {@link isForwardedOrReply}, this function ONLY detects forwarded
+ * messages and intentionally ignores replies. It exists so command handlers
+ * that rely on the reply feature (e.g. `/task` issue creation, `/solve` URL
+ * extraction) can still reject forwarded commands — which must never be
+ * executed again — while continuing to accept genuine user replies.
+ *
+ * A forwarded command is dangerous because forwarding the bot's own response
+ * (or any message that starts with `/task`, `/solve`, ...) would otherwise
+ * trigger a brand-new execution that the user never intended.
  *
  * @param {Object} ctx - Telegraf context object
  * @param {Object} [options] - Options
  * @param {boolean} [options.verbose] - Enable verbose logging
- * @returns {boolean} true if message is forwarded or a reply (and should be filtered)
+ * @returns {boolean} true if message is forwarded (and should be filtered)
+ * @see https://github.com/link-assistant/hive-mind/issues/1922
  */
-export function isForwardedOrReply(ctx, options = {}) {
+export function isForwarded(ctx, options = {}) {
   const message = ctx.message;
   if (!message) {
     if (options.verbose) {
-      console.log('[VERBOSE] isForwardedOrReply: No message object');
+      console.log('[VERBOSE] isForwarded: No message object');
     }
     return false;
   }
 
   if (options.verbose) {
-    console.log('[VERBOSE] isForwardedOrReply: Checking message fields...');
+    console.log('[VERBOSE] isForwarded: Checking forwarding fields...');
     console.log('[VERBOSE]   message.forward_origin:', JSON.stringify(message.forward_origin));
     console.log('[VERBOSE]   message.forward_origin?.type:', message.forward_origin?.type);
     console.log('[VERBOSE]   message.forward_from:', JSON.stringify(message.forward_from));
@@ -90,8 +94,6 @@ export function isForwardedOrReply(ctx, options = {}) {
     console.log('[VERBOSE]   message.forward_signature:', message.forward_signature);
     console.log('[VERBOSE]   message.forward_sender_name:', message.forward_sender_name);
     console.log('[VERBOSE]   message.forward_date:', message.forward_date);
-    console.log('[VERBOSE]   message.reply_to_message:', JSON.stringify(message.reply_to_message));
-    console.log('[VERBOSE]   message.reply_to_message?.message_id:', message.reply_to_message?.message_id);
   }
 
   // Check if message is forwarded (has forward_origin field with actual content)
@@ -99,15 +101,57 @@ export function isForwardedOrReply(ctx, options = {}) {
   // which are truthy in JavaScript but don't indicate a forwarded message
   if (message.forward_origin && message.forward_origin.type) {
     if (options.verbose) {
-      console.log('[VERBOSE] isForwardedOrReply: TRUE - forward_origin.type exists:', message.forward_origin.type);
+      console.log('[VERBOSE] isForwarded: TRUE - forward_origin.type exists:', message.forward_origin.type);
     }
     return true;
   }
   // Also check old forwarding API fields for backward compatibility
   if (message.forward_from || message.forward_from_chat || message.forward_from_message_id || message.forward_signature || message.forward_sender_name || message.forward_date) {
     if (options.verbose) {
-      console.log('[VERBOSE] isForwardedOrReply: TRUE - old forwarding API field detected');
+      console.log('[VERBOSE] isForwarded: TRUE - old forwarding API field detected');
+    }
+    return true;
+  }
+
+  if (options.verbose) {
+    console.log('[VERBOSE] isForwarded: FALSE - no forwarding detected');
+  }
+  return false;
+}
+
+/**
+ * Check if a message is forwarded or a reply to another user's message.
+ *
+ * This function distinguishes between:
+ * 1. Forwarded messages (should be ignored)
+ * 2. User replies to other messages (should be ignored, except for /solve reply feature)
+ * 3. Forum topic messages (should NOT be ignored - they have reply_to_message pointing
+ *    to the topic's first message with forum_topic_created)
+ * 4. Normal messages (should NOT be ignored)
+ *
+ * @param {Object} ctx - Telegraf context object
+ * @param {Object} [options] - Options
+ * @param {boolean} [options.verbose] - Enable verbose logging
+ * @returns {boolean} true if message is forwarded or a reply (and should be filtered)
+ */
+export function isForwardedOrReply(ctx, options = {}) {
+  const message = ctx.message;
+  if (!message) {
+    if (options.verbose) {
+      console.log('[VERBOSE] isForwardedOrReply: No message object');
     }
+    return false;
+  }
+
+  if (options.verbose) {
+    console.log('[VERBOSE] isForwardedOrReply: Checking message fields...');
+    console.log('[VERBOSE]   message.reply_to_message:', JSON.stringify(message.reply_to_message));
+    console.log('[VERBOSE]   message.reply_to_message?.message_id:', message.reply_to_message?.message_id);
+  }
+
+  // Forwarded messages are handled by the shared isForwarded() filter so the
+  // forwarding detection logic lives in exactly one place (issue #1922).
+  if (isForwarded(ctx, options)) {
     return true;
   }
   // Check if message is a reply (has reply_to_message field with actual content)

package/src/telegram-start-stop-command.lib.mjs

@@ -270,7 +270,7 @@ export function isStopTargetRequester({ userId, queueItem = null, sessionInfo =
  *   See https://github.com/link-assistant/hive-mind/issues/1871.
  */
 export function registerStartStopCommands(bot, options) {
-  const { VERBOSE = false, isOldMessage, isForwardedOrReply, isGroupChat, isChatAuthorized, isTopicAuthorized, buildAuthErrorMessage, getSolveQueue } = options;
+  const { VERBOSE = false, isOldMessage, isForwarded, isForwardedOrReply, isGroupChat, isChatAuthorized, isTopicAuthorized, buildAuthErrorMessage, getSolveQueue } = options;
   const stopIsolatedSessionImpl = options.stopIsolatedSession || (async (...args) => (await import('./isolation-runner.lib.mjs')).stopIsolatedSession(...args));
   // Issue #1783: look the UUID up in the session monitor so /stop can let the
   // user who started the task stop it (mirrors /terminal_watch from PR #1779).
@@ -529,6 +529,13 @@ export function registerStartStopCommands(bot, options) {
       VERBOSE && console.log('[VERBOSE] /stop ignored: old message');
       return;
     }
+    // Issue #1922: a forwarded /stop (even a targeted `/stop <uuid>`) must never
+    // be re-executed. Replies are still allowed because the targeted modes use
+    // them on purpose (#524, #1780), so we use the forwarded-only filter here.
+    if (isForwarded && isForwarded(ctx)) {
+      VERBOSE && console.log('[VERBOSE] /stop ignored: forwarded message');
+      return;
+    }
 
     // Detect UUID/URL targets BEFORE the forwarded/reply rejection used by
     // the chat-level stop, because both targeted modes are intentionally

package/src/telegram-task-command.lib.mjs

@@ -95,7 +95,7 @@ function injectLanguageIfMissing(args, locale) {
 }
 
 export function registerTaskCommands(bot, options) {
-  const { VERBOSE, taskEnabled, addBreadcrumb, isOldMessage, isGroupChat, isTopicAuthorized, buildAuthErrorMessage, isChatStopped, getStoppedChatRejectMessage, safeReply, executeAndUpdateMessage, createTaskIssue: createTaskIssueFn = createTaskIssue, resolveLocale = null } = options;
+  const { VERBOSE, taskEnabled, addBreadcrumb, isOldMessage, isForwarded, isGroupChat, isTopicAuthorized, buildAuthErrorMessage, isChatStopped, getStoppedChatRejectMessage, safeReply, executeAndUpdateMessage, createTaskIssue: createTaskIssueFn = createTaskIssue, resolveLocale = null } = options;
 
   async function handleTaskCommand(ctx) {
     const commandName = getTaskCommandNameFromText(ctx.message?.text) || 'task';
@@ -114,6 +114,13 @@ export function registerTaskCommands(bot, options) {
       return;
     }
     if (isOldMessage(ctx)) return;
+    // Issue #1922: a forwarded /task command must never be re-executed. Replies
+    // are still allowed because /task uses them for issue creation, so we use the
+    // forwarded-only filter instead of isForwardedOrReply.
+    if (isForwarded && isForwarded(ctx)) {
+      VERBOSE && console.log(`[VERBOSE] ${commandDisplay} ignored: forwarded message`);
+      return;
+    }
     if (!isGroupChat(ctx)) {
       await ctx.reply(`❌ The ${commandDisplay} command only works in group chats. Please add this bot to a group and make it an admin.`, { reply_to_message_id: ctx.message.message_id });
       return;

package/src/telegram-terminal-watch-command.lib.mjs

@@ -307,7 +307,7 @@ export async function startAutoTerminalWatchForSession({ bot, ctx, sessionId, se
 }
 
 export async function registerTerminalWatchCommand(bot, options) {
-  const { VERBOSE = false, isOldMessage, isChatAuthorized, isTopicAuthorized, buildAuthErrorMessage } = options;
+  const { VERBOSE = false, isOldMessage, isForwarded, isChatAuthorized, isTopicAuthorized, buildAuthErrorMessage } = options;
   const runner = !options.querySessionStatus || !options.isTerminalSessionStatus ? await import('./isolation-runner.lib.mjs') : null;
   const querySessionStatus = options.querySessionStatus || runner.querySessionStatus;
   const isTerminalSessionStatus = options.isTerminalSessionStatus || runner.isTerminalSessionStatus;
@@ -318,6 +318,11 @@ export async function registerTerminalWatchCommand(bot, options) {
   const handleTerminalWatchCommand = async ctx => {
     VERBOSE && console.log('[VERBOSE] /terminal_watch command received');
     if (isOldMessage && isOldMessage(ctx)) return;
+    // Issue #1922: never re-execute a forwarded command.
+    if (isForwarded && isForwarded(ctx)) {
+      VERBOSE && console.log('[VERBOSE] /terminal_watch ignored: forwarded message');
+      return;
+    }
 
     const chat = ctx.chat;
     const message = ctx.message;

package/src/telegram-tokens-command.lib.mjs

@@ -90,7 +90,7 @@ export const formatTokenList = tokens => {
  * @param {Function} [options.fetchTokens] — test override for getAllKnownLocalTokens
  */
 export const registerTokensCommand = (bot, options = {}) => {
-  const { VERBOSE = false, isOldMessage, allowedChats } = options;
+  const { VERBOSE = false, isOldMessage, isForwarded, allowedChats } = options;
   const fetchTokens = options.fetchTokens || getAllKnownLocalTokens;
 
   bot.command('tokens', async ctx => {
@@ -98,6 +98,11 @@ export const registerTokensCommand = (bot, options = {}) => {
       VERBOSE && console.log('[VERBOSE] /tokens ignored: old message');
       return;
     }
+    // Issue #1922: never re-execute a forwarded command.
+    if (isForwarded && isForwarded(ctx)) {
+      VERBOSE && console.log('[VERBOSE] /tokens ignored: forwarded message');
+      return;
+    }
 
     const chat = ctx.chat;
     if (!chat || !ctx.from) return;

package/src/tool-retry.lib.mjs

@@ -72,6 +72,22 @@ export const classifyRetryableError = value => {
     return { message, isRetryable: false, isCapacity: false, requiresFreshSession: true, label: 'Corrupted thinking blocks (un-resumable session)' };
   }
 
+  // Issue #1924: Server-side temporary rate limiting (HTTP 429), distinct from an
+  // account usage/quota limit. The Claude CLI surfaces this as a synthetic
+  // assistant/result message and an api_error_status of 429:
+  //   "API Error: Server is temporarily limiting requests (not your usage limit) · Rate limited"
+  // The response carries `x-should-retry: true` and the stream emits a
+  // `rate_limit_event` with `status: "rejected"`. Because the message explicitly
+  // says "not your usage limit", it is NOT a usage-limit reset-time situation and
+  // must NOT be routed through detectUsageLimit() (there is no reset time to wait
+  // for). It is a transient throttle that clears on its own, so it is safe to
+  // retry with the session preserved (--resume) after a backoff. Switching models
+  // does not help (the throttle is request-rate, not model capacity), so
+  // isCapacity is false.
+  if (lower.includes('temporarily limiting requests') || (lower.includes('rate limited') && lower.includes('not your usage limit')) || (lower.includes('rate_limit') && lower.includes('429'))) {
+    return { message, isRetryable: true, isCapacity: false, label: 'Server rate limited (429)' };
+  }
+
   if (lower.includes('api error: 503') || (lower.includes('503') && (lower.includes('upstream connect error') || lower.includes('remote connection failure')))) {
     return { message, isRetryable: true, isCapacity: false, label: '503 network error' };
   }