@oss-autopilot/core 1.7.0 → 1.8.0

package/dist/core/issue-discovery.js

@@ -13,6 +13,7 @@ import * as fs from 'fs';
 import * as path from 'path';
 import { getOctokit, checkRateLimit } from './github.js';
 import { getStateManager } from './state.js';
+import { getSearchBudgetTracker } from './search-budget.js';
 import { daysBetween, getDataDir, sleep } from './utils.js';
 import { DEFAULT_CONFIG, SCOPE_LABELS } from './types.js';
 import { ValidationError, errorMessage, getHttpStatusCode, isRateLimitError } from './errors.js';
@@ -159,10 +160,12 @@ export class IssueDiscovery {
         let rateLimitHitDuringSearch = false;
         // Pre-flight rate limit check (#100) — also determines adaptive phase budget
         this.rateLimitWarning = null;
+        const tracker = getSearchBudgetTracker();
         let searchBudget = LOW_BUDGET_THRESHOLD - 1; // conservative: below threshold to skip heavy phases
         try {
             const rateLimit = await checkRateLimit(this.githubToken);
             searchBudget = rateLimit.remaining;
+            tracker.init(rateLimit.remaining, rateLimit.resetAt);
             if (rateLimit.remaining < 5) {
                 const resetTime = new Date(rateLimit.resetAt).toLocaleTimeString('en-US', { hour12: false });
                 this.rateLimitWarning = `GitHub search API quota low (${rateLimit.remaining}/${rateLimit.limit} remaining, resets at ${resetTime}). Search may be slow.`;
@@ -180,7 +183,9 @@ export class IssueDiscovery {
             if (getHttpStatusCode(error) === 401) {
                 throw error;
             }
-            // Non-fatal: proceed with conservative budget for transient/network errors
+            // Non-fatal: proceed with conservative budget for transient/network errors.
+            // Initialize tracker with conservative defaults so it doesn't fly blind.
+            tracker.init(CRITICAL_BUDGET_THRESHOLD, new Date(Date.now() + 60000).toISOString());
             warn(MODULE, 'Could not check rate limit — using conservative budget, skipping heavy phases:', errorMessage(error));
         }
         // Get merged-PR repos (highest merge probability)
@@ -329,7 +334,12 @@ export class IssueDiscovery {
                 info(MODULE, `Phase 1: Searching issues in ${reposToSearch.length} starred repos...`);
                 const remainingNeeded = maxResults - allCandidates.length;
                 if (remainingNeeded > 0) {
-                    const { candidates: starredCandidates, allBatchesFailed, rateLimitHit, } = await searchInRepos(this.octokit, this.vetter, reposToSearch.slice(0, 10), baseQualifiers, labels, remainingNeeded, 'starred', filterIssues);
+                    // Cap labels to reduce Search API calls: starred repos already signal user
+                    // interest, so fewer labels suffice. With 3 labels and batch size 3 (2 repo ORs),
+                    // each batch fits in a single label chunk instead of 3+, cutting Phase 1 calls
+                    // from ~12 to ~4.
+                    const phase1Labels = labels.slice(0, 3);
+                    const { candidates: starredCandidates, allBatchesFailed, rateLimitHit, } = await searchInRepos(this.octokit, this.vetter, reposToSearch.slice(0, 10), baseQualifiers, phase1Labels, remainingNeeded, 'starred', filterIssues);
                     allCandidates.push(...starredCandidates);
                     if (allBatchesFailed) {
                         phase1Error = 'All starred repo batches failed';
@@ -502,6 +512,7 @@ export class IssueDiscovery {
         });
         // Apply per-repo cap: max 2 issues from any single repo (#105)
         const capped = applyPerRepoCap(allCandidates, 2);
+        info(MODULE, `Search complete: ${tracker.getTotalCalls()} Search API calls used, ${capped.length} candidates returned`);
         return capped.slice(0, maxResults);
     }
     /**

package/dist/core/issue-eligibility.d.ts

@@ -14,12 +14,15 @@ export interface CheckResult {
 }
 /**
  * Check whether an open PR already exists for the given issue.
- * Searches both the PR search index and the issue timeline for linked PRs.
+ * Uses the timeline API (REST) to detect cross-referenced PRs, avoiding
+ * the Search API's strict 30 req/min rate limit.
  */
 export declare function checkNoExistingPR(octokit: Octokit, owner: string, repo: string, issueNumber: number): Promise<CheckResult>;
 /**
  * Check how many merged PRs the authenticated user has in a repo.
  * Uses GitHub Search API. Returns 0 on error (non-fatal).
+ * Results are cached per-repo for 15 minutes to avoid redundant Search API
+ * calls when multiple issues from the same repo are vetted.
  */
 export declare function checkUserMergedPRsInRepo(octokit: Octokit, owner: string, repo: string): Promise<number>;
 /**

package/dist/core/issue-eligibility.js

@@ -8,6 +8,8 @@
 import { paginateAll } from './pagination.js';
 import { errorMessage } from './errors.js';
 import { warn } from './logger.js';
+import { getHttpCache } from './http-cache.js';
+import { getSearchBudgetTracker } from './search-budget.js';
 const MODULE = 'issue-eligibility';
 /** Phrases that indicate someone has already claimed an issue. */
 const CLAIM_PHRASES = [
@@ -29,16 +31,16 @@ const CLAIM_PHRASES = [
 ];
 /**
  * Check whether an open PR already exists for the given issue.
- * Searches both the PR search index and the issue timeline for linked PRs.
+ * Uses the timeline API (REST) to detect cross-referenced PRs, avoiding
+ * the Search API's strict 30 req/min rate limit.
  */
 export async function checkNoExistingPR(octokit, owner, repo, issueNumber) {
     try {
-        // Search for PRs that mention this issue
-        const { data } = await octokit.search.issuesAndPullRequests({
-            q: `repo:${owner}/${repo} is:pr ${issueNumber}`,
-            per_page: 5,
-        });
-        // Also check timeline for linked PRs
+        // Use the timeline API (REST, not Search) to detect linked PRs.
+        // This avoids consuming GitHub Search API quota (30 req/min limit).
+        // Timeline captures formally linked PRs via cross-referenced events
+        // but may miss PRs that only mention the issue number without a formal
+        // link — an acceptable trade-off since most PRs use "Fixes #N" syntax.
         const timeline = await paginateAll((page) => octokit.issues.listEventsForTimeline({
             owner,
             repo,
@@ -50,7 +52,7 @@ export async function checkNoExistingPR(octokit, owner, repo, issueNumber) {
             const e = event;
             return e.event === 'cross-referenced' && e.source?.issue?.pull_request;
         });
-        return { passed: data.total_count === 0 && linkedPRs.length === 0 };
+        return { passed: linkedPRs.length === 0 };
     }
     catch (error) {
         const errMsg = errorMessage(error);
@@ -58,23 +60,46 @@ export async function checkNoExistingPR(octokit, owner, repo, issueNumber) {
         return { passed: true, inconclusive: true, reason: errMsg };
     }
 }
+/** TTL for cached merged-PR counts per repo (15 minutes). */
+const MERGED_PR_CACHE_TTL_MS = 15 * 60 * 1000;
 /**
  * Check how many merged PRs the authenticated user has in a repo.
  * Uses GitHub Search API. Returns 0 on error (non-fatal).
+ * Results are cached per-repo for 15 minutes to avoid redundant Search API
+ * calls when multiple issues from the same repo are vetted.
  */
 export async function checkUserMergedPRsInRepo(octokit, owner, repo) {
+    const cache = getHttpCache();
+    const cacheKey = `merged-prs:${owner}/${repo}`;
+    // Manual cache check — do not use cachedTimeBased because we must NOT cache
+    // error-path fallback values (a transient failure returning 0 would poison the
+    // cache for 15 minutes, hiding that the user has merged PRs in the repo).
+    const cached = cache.getIfFresh(cacheKey, MERGED_PR_CACHE_TTL_MS);
+    if (cached != null && typeof cached === 'number') {
+        return cached;
+    }
     try {
-        // Use @me to search as the authenticated user
-        const { data } = await octokit.search.issuesAndPullRequests({
-            q: `repo:${owner}/${repo} is:pr is:merged author:@me`,
-            per_page: 1, // We only need total_count
-        });
-        return data.total_count;
+        const tracker = getSearchBudgetTracker();
+        await tracker.waitForBudget();
+        try {
+            // Use @me to search as the authenticated user
+            const { data } = await octokit.search.issuesAndPullRequests({
+                q: `repo:${owner}/${repo} is:pr is:merged author:@me`,
+                per_page: 1, // We only need total_count
+            });
+            // Only cache successful results
+            cache.set(cacheKey, '', data.total_count);
+            return data.total_count;
+        }
+        finally {
+            // Always record the call — failed requests still consume GitHub rate limit points
+            tracker.recordCall();
+        }
     }
     catch (error) {
         const errMsg = errorMessage(error);
         warn(MODULE, `Could not check merged PRs in ${owner}/${repo}: ${errMsg}. Defaulting to 0.`);
-        return 0;
+        return 0; // Not cached — next call will retry
     }
 }
 /**

package/dist/core/issue-vetting.js

@@ -52,13 +52,17 @@ export class IssueVetter {
             repo,
             issue_number: number,
         });
+        // Check local state first to skip the merged-PR Search API call when
+        // the repo already has authoritative data (saves 1 Search call per issue).
+        const repoScoreRecord = this.stateManager.getRepoScore(repoFullName);
+        const skipMergedPRCheck = repoScoreRecord != null && repoScoreRecord.mergedPRCount > 0;
         // Run all vetting checks in parallel — delegates to standalone functions
         const [existingPRCheck, claimCheck, projectHealth, contributionGuidelines, userMergedPRCount] = await Promise.all([
             checkNoExistingPR(this.octokit, owner, repo, number),
             checkNotClaimed(this.octokit, owner, repo, number, ghIssue.comments),
             checkProjectHealth(this.octokit, owner, repo),
             fetchContributionGuidelines(this.octokit, owner, repo),
-            checkUserMergedPRsInRepo(this.octokit, owner, repo),
+            skipMergedPRCheck ? Promise.resolve(0) : checkUserMergedPRsInRepo(this.octokit, owner, repo),
         ]);
         const noExistingPR = existingPRCheck.passed;
         const notClaimed = claimCheck.passed;
@@ -138,7 +142,6 @@ export class IssueVetter {
         // Determine effective merged PR count: prefer local state (authoritative if present),
         // fall back to live GitHub API count to detect contributions made before using oss-autopilot (#373)
         const config = this.stateManager.getState().config;
-        const repoScoreRecord = this.stateManager.getRepoScore(repoFullName);
         const effectiveMergedCount = repoScoreRecord && repoScoreRecord.mergedPRCount > 0 ? repoScoreRecord.mergedPRCount : userMergedPRCount;
         if (effectiveMergedCount > 0) {
             reasonsToApprove.push(`Trusted project (${effectiveMergedCount} PR${effectiveMergedCount > 1 ? 's' : ''} merged)`);

package/dist/core/search-budget.d.ts

@@ -0,0 +1,62 @@
+/**
+ * Search Budget Tracker — centralized rate limit management for GitHub Search API.
+ *
+ * The GitHub Search API enforces a strict 30 requests/minute limit for
+ * authenticated users. This module tracks actual consumption via a sliding
+ * window and provides adaptive delays to stay within budget.
+ *
+ * Usage:
+ * - Initialize once per search run with pre-flight rate limit data
+ * - Call recordCall() after every Search API call
+ * - Call waitForBudget() before making a Search API call to pace requests
+ * - Call canAfford(n) to check if n more calls fit in the remaining budget
+ */
+export declare class SearchBudgetTracker {
+    /** Timestamps of recent Search API calls within the sliding window. */
+    private callTimestamps;
+    /** Last known remaining quota from GitHub's rate limit endpoint. */
+    private knownRemaining;
+    /** Epoch ms when the rate limit window resets (from GitHub API). */
+    private resetAt;
+    /** Total calls recorded since init (for diagnostics). */
+    private totalCalls;
+    /**
+     * Initialize with pre-flight rate limit data from GitHub.
+     */
+    init(remaining: number, resetAt: string): void;
+    /**
+     * Record that a Search API call was just made.
+     */
+    recordCall(): void;
+    /**
+     * Remove timestamps older than the sliding window.
+     */
+    private pruneOldTimestamps;
+    /**
+     * Get the number of calls made in the current sliding window.
+     */
+    getCallsInWindow(): number;
+    /**
+     * Get the effective budget, accounting for both the sliding window limit
+     * and the pre-flight remaining quota from GitHub.
+     */
+    private getEffectiveBudget;
+    /**
+     * Check if we can afford N more Search API calls without exceeding the budget.
+     */
+    canAfford(n: number): boolean;
+    /**
+     * Wait if necessary to stay within the Search API rate limit.
+     * If the sliding window is at capacity, sleeps until the oldest
+     * call ages out of the window.
+     */
+    waitForBudget(): Promise<void>;
+    /**
+     * Get total calls recorded since init (for diagnostics).
+     */
+    getTotalCalls(): number;
+}
+/**
+ * Get (or create) the shared SearchBudgetTracker singleton.
+ */
+export declare function getSearchBudgetTracker(): SearchBudgetTracker;

package/dist/core/search-budget.js

@@ -0,0 +1,129 @@
+/**
+ * Search Budget Tracker — centralized rate limit management for GitHub Search API.
+ *
+ * The GitHub Search API enforces a strict 30 requests/minute limit for
+ * authenticated users. This module tracks actual consumption via a sliding
+ * window and provides adaptive delays to stay within budget.
+ *
+ * Usage:
+ * - Initialize once per search run with pre-flight rate limit data
+ * - Call recordCall() after every Search API call
+ * - Call waitForBudget() before making a Search API call to pace requests
+ * - Call canAfford(n) to check if n more calls fit in the remaining budget
+ */
+import { debug } from './logger.js';
+import { sleep } from './utils.js';
+const MODULE = 'search-budget';
+/** GitHub Search API rate limit: 30 requests per 60-second rolling window. */
+const SEARCH_RATE_LIMIT = 30;
+const SEARCH_WINDOW_MS = 60 * 1000;
+/** Safety margin: reserve a few calls for retries and cross-process usage. */
+const SAFETY_MARGIN = 4;
+/** Effective budget per window after safety margin. */
+const EFFECTIVE_BUDGET = SEARCH_RATE_LIMIT - SAFETY_MARGIN;
+export class SearchBudgetTracker {
+    /** Timestamps of recent Search API calls within the sliding window. */
+    callTimestamps = [];
+    /** Last known remaining quota from GitHub's rate limit endpoint. */
+    knownRemaining = SEARCH_RATE_LIMIT;
+    /** Epoch ms when the rate limit window resets (from GitHub API). */
+    resetAt = 0;
+    /** Total calls recorded since init (for diagnostics). */
+    totalCalls = 0;
+    /**
+     * Initialize with pre-flight rate limit data from GitHub.
+     */
+    init(remaining, resetAt) {
+        this.knownRemaining = remaining;
+        this.resetAt = new Date(resetAt).getTime();
+        this.callTimestamps = [];
+        this.totalCalls = 0;
+        debug(MODULE, `Initialized: ${remaining} remaining, resets at ${new Date(this.resetAt).toLocaleTimeString()}`);
+    }
+    /**
+     * Record that a Search API call was just made.
+     */
+    recordCall() {
+        this.callTimestamps.push(Date.now());
+        this.totalCalls++;
+        this.pruneOldTimestamps();
+    }
+    /**
+     * Remove timestamps older than the sliding window.
+     */
+    pruneOldTimestamps() {
+        const cutoff = Date.now() - SEARCH_WINDOW_MS;
+        while (this.callTimestamps.length > 0 && this.callTimestamps[0] < cutoff) {
+            this.callTimestamps.shift();
+        }
+    }
+    /**
+     * Get the number of calls made in the current sliding window.
+     */
+    getCallsInWindow() {
+        this.pruneOldTimestamps();
+        return this.callTimestamps.length;
+    }
+    /**
+     * Get the effective budget, accounting for both the sliding window limit
+     * and the pre-flight remaining quota from GitHub.
+     */
+    getEffectiveBudget() {
+        // Use the stricter of: local window limit vs. pre-flight remaining minus calls made
+        const localBudget = EFFECTIVE_BUDGET - this.callTimestamps.length;
+        const externalBudget = this.knownRemaining - this.totalCalls;
+        return Math.max(0, Math.min(localBudget, externalBudget));
+    }
+    /**
+     * Check if we can afford N more Search API calls without exceeding the budget.
+     */
+    canAfford(n) {
+        this.pruneOldTimestamps();
+        return this.getEffectiveBudget() >= n;
+    }
+    /**
+     * Wait if necessary to stay within the Search API rate limit.
+     * If the sliding window is at capacity, sleeps until the oldest
+     * call ages out of the window.
+     */
+    async waitForBudget() {
+        // Loop to handle edge cases where a single sleep isn't enough
+        // (e.g., concurrent callers, clock skew, or external budget depletion)
+        while (true) {
+            this.pruneOldTimestamps();
+            if (this.getEffectiveBudget() > 0) {
+                return; // Budget available, no wait needed
+            }
+            // Wait until the oldest call in the window ages out
+            const oldestInWindow = this.callTimestamps[0];
+            if (!oldestInWindow) {
+                return; // No calls in window — budget exhausted by external consumption, can't wait it out
+            }
+            const waitUntil = oldestInWindow + SEARCH_WINDOW_MS;
+            const waitMs = waitUntil - Date.now();
+            if (waitMs > 0) {
+                debug(MODULE, `Budget full (${this.callTimestamps.length}/${EFFECTIVE_BUDGET} in window), waiting ${waitMs}ms`);
+                await sleep(waitMs + 100); // +100ms safety buffer
+            }
+        }
+    }
+    /**
+     * Get total calls recorded since init (for diagnostics).
+     */
+    getTotalCalls() {
+        return this.totalCalls;
+    }
+}
+// ---------------------------------------------------------------------------
+// Singleton
+// ---------------------------------------------------------------------------
+let _tracker = null;
+/**
+ * Get (or create) the shared SearchBudgetTracker singleton.
+ */
+export function getSearchBudgetTracker() {
+    if (!_tracker) {
+        _tracker = new SearchBudgetTracker();
+    }
+    return _tracker;
+}

package/dist/core/search-phases.js

@@ -10,11 +10,14 @@ import { debug, warn } from './logger.js';
 import { getHttpCache, cachedTimeBased } from './http-cache.js';
 import { detectLabelFarmingRepos } from './issue-filtering.js';
 import { sleep } from './utils.js';
+import { getSearchBudgetTracker } from './search-budget.js';
 const MODULE = 'search-phases';
 /** GitHub Search API enforces a max of 5 AND/OR/NOT operators per query. */
 export const GITHUB_MAX_BOOLEAN_OPS = 5;
-/** Delay between search API calls to avoid GitHub's secondary rate limit (~30 req/min). */
-const INTER_QUERY_DELAY_MS = 1500;
+/** Delay between search API calls to avoid GitHub's secondary rate limit (~30 req/min).
+ * Set to 2000ms as a safety floor (max 30/min at the limit). The SearchBudgetTracker
+ * adds additional adaptive delays when needed. */
+const INTER_QUERY_DELAY_MS = 2000;
 /** Batch size for repo queries. 3 repos = 2 OR operators, leaving room for labels. */
 const BATCH_SIZE = 3;
 /**
@@ -93,8 +96,16 @@ const SEARCH_CACHE_TTL_MS = 15 * 60 * 1000;
 export async function cachedSearchIssues(octokit, params) {
     const cacheKey = `search:${params.q}:${params.sort}:${params.order}:${params.per_page}`;
     return cachedTimeBased(getHttpCache(), cacheKey, SEARCH_CACHE_TTL_MS, async () => {
-        const { data } = await octokit.search.issuesAndPullRequests(params);
-        return data;
+        const tracker = getSearchBudgetTracker();
+        await tracker.waitForBudget();
+        try {
+            const { data } = await octokit.search.issuesAndPullRequests(params);
+            return data;
+        }
+        finally {
+            // Always record the call — failed requests still consume GitHub rate limit points
+            tracker.recordCall();
+        }
     });
 }
 // ── Search infrastructure ──

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@oss-autopilot/core",
-  "version": "1.7.0",
+  "version": "1.8.0",
   "description": "CLI and core library for managing open source contributions",
   "type": "module",
   "bin": {