@oss-autopilot/core 3.10.0 → 3.12.0

package/dist/cli.js

@@ -10,7 +10,7 @@
  */
 import { Command } from 'commander';
 import { getGitHubTokenAsync, enableDebug, debug, getCLIVersion, stateFileExists } from './core/index.js';
-import { commands } from './cli-registry.js';
+import { commands, handleCommandError } from './cli-registry.js';
 const VERSION = getCLIVersion();
 const program = new Command();
 program
@@ -100,5 +100,13 @@ Run oss-autopilot --help for all commands.
 `);
     process.exit(0);
 }
-// Parse and execute
-program.parse();
+// Parse and execute. parseAsync, not parse: the preAction hook is async, so
+// with synchronous parse() a rejected hook promise (corrupt Gist, missing
+// gist scope, rate limit during bootstrap — all of which ensureGistPersistence
+// now propagates) became an UnhandledPromiseRejection and the user saw a raw
+// stack instead of the actionable message (#1386). Command actions already
+// route their errors through executeAction/handleCommandError, so this catch
+// covers exactly the hook path (plus any handler that escapes the wrapper).
+program.parseAsync().catch((err) => {
+    handleCommandError(err, process.argv.includes('--json'));
+});

package/dist/commands/comments.js

@@ -3,7 +3,8 @@
  * Handles GitHub comment interactions
  */
 import { getStateManager, getOctokit, parseGitHubUrl, requireGitHubToken, maybeCheckpoint } from '../core/index.js';
-import { ValidationError } from '../core/errors.js';
+import { wrapUntrustedContent } from '../core/untrusted-content.js';
+import { ValidationError, isRateLimitOrAuthError } from '../core/errors.js';
 import { warn } from '../core/logger.js';
 const MODULE = 'comments';
 import { paginateAll } from '../core/pagination.js';
@@ -77,6 +78,12 @@ export async function runComments(options) {
     const relevantReviews = reviews
         .filter((r) => filterComment(r) && r.body && r.body.trim())
         .sort((a, b) => new Date(b.submitted_at || 0).getTime() - new Date(a.submitted_at || 0).getTime());
+    // Fence every third-party body at this boundary: the output feeds agents
+    // directly (CLI --json, the MCP `comments` tool, and the `respond-to-pr`
+    // MCP prompt), so raw GitHub text must never reach a prompt unfenced
+    // (#1372). The CLI text display unwraps via safeExtractFromFence.
+    const fenceLabel = `${owner}/${repo}#${pull_number}`;
+    const fence = (body, source, author, association) => wrapUntrustedContent(body, fenceLabel, { author, association, source });
     const staleness = stateManager.getStateStaleness();
     return {
         pr: {
@@ -90,18 +97,18 @@ export async function runComments(options) {
         reviews: relevantReviews.map((r) => ({
             user: r.user?.login,
             state: r.state,
-            body: r.body ?? null,
+            body: r.body == null ? null : fence(r.body, 'pr-review', r.user?.login, r.author_association),
             submittedAt: r.submitted_at ?? null,
         })),
         reviewComments: relevantReviewComments.map((c) => ({
             user: c.user?.login,
-            body: c.body,
+            body: fence(c.body, 'pr-review-comment', c.user?.login, c.author_association),
             path: c.path,
             createdAt: c.created_at,
         })),
         issueComments: relevantIssueComments.map((c) => ({
             user: c.user?.login,
-            body: c.body,
+            body: c.body == null ? c.body : fence(c.body, 'pr-issue-comment', c.user?.login, c.author_association),
             createdAt: c.created_at,
         })),
         summary: {
@@ -170,16 +177,15 @@ export async function runClaim(options) {
     }
     const { owner, repo, number } = parsed;
     const octokit = getOctokit(token);
-    const { data: comment } = await octokit.issues.createComment({
-        owner,
-        repo,
-        issue_number: number,
-        body: message,
-    });
     // Fetch the real issue title + labels so the tracked entry has useful metadata
     // rather than a permanent "(claimed)" placeholder that never gets backfilled
     // (#1056 M24). Best-effort: if the fetch fails, fall back to the placeholder
     // so state still records the claim.
+    //
+    // Ordering matters: enrichment runs BEFORE the claim comment is posted
+    // (#1391). Rate-limit / auth failures rethrow here, and aborting after the
+    // comment landed would leave an orphaned claim on GitHub that local state
+    // never tracked — aborting before it means a clean no-op the user can retry.
     let issueTitle = '(claimed)';
     let issueLabels = [];
     let issueCreatedAt = new Date().toISOString();
@@ -194,9 +200,18 @@ export async function runClaim(options) {
             issueCreatedAt = issue.created_at;
     }
     catch (error) {
-        warn(MODULE, `Claimed ${options.issueUrl} but failed to enrich issue metadata (title/labels): ${error instanceof Error ? error.message : error}`);
+        if (isRateLimitOrAuthError(error))
+            throw error;
+        warn(MODULE, `Failed to enrich issue metadata (title/labels) for ${options.issueUrl}; claiming with placeholder: ${error instanceof Error ? error.message : error}`);
     }
+    const { data: comment } = await octokit.issues.createComment({
+        owner,
+        repo,
+        issue_number: number,
+        body: message,
+    });
     // Add to tracked issues — non-fatal if state save fails (comment already posted)
+    let gistSyncWarning = null;
     try {
         const stateManager = getStateManager();
         stateManager.addIssue({
@@ -211,10 +226,10 @@ export async function runClaim(options) {
             updatedAt: new Date().toISOString(),
             vetted: false,
         });
-        // Push state to Gist if in Gist mode. Best-effort — logs on failure
-        // rather than silently swallowing, so operators see the degraded-sync
-        // signal (#1036 audit H1).
-        await maybeCheckpoint(stateManager, MODULE);
+        // Push state to Gist if in Gist mode. Best-effort — the warning is
+        // threaded into the structured output so MCP/dashboard consumers see
+        // the degraded-sync signal, not just the stderr log (#1036 audit H1, #1370).
+        gistSyncWarning = await maybeCheckpoint(stateManager, MODULE);
     }
     catch (error) {
         // Structured warning instead of bare console.error so the breadcrumb shows
@@ -224,5 +239,6 @@ export async function runClaim(options) {
     return {
         commentUrl: comment.html_url,
         issueUrl: options.issueUrl,
+        ...(gistSyncWarning ? { gistSyncWarning } : {}),
     };
 }

package/dist/commands/compliance-score.js

@@ -11,15 +11,20 @@
  * mutation, runs against a public PR URL.
  */
 import { getOctokit, requireGitHubToken } from '../core/index.js';
-import { ValidationError } from '../core/errors.js';
+import { ValidationError, errorMessage, isRateLimitOrAuthError } from '../core/errors.js';
+import { warn } from '../core/logger.js';
 import { validateUrl, PR_URL_PATTERN, validateGitHubUrl } from './validation.js';
 import { parseGitHubUrl } from '../core/urls.js';
 import { computeComplianceScore, } from '../core/compliance-score.js';
+const MODULE = 'compliance-score';
 /**
  * Detect whether the target repo has visible test infrastructure. Looks
  * for the well-known directories at the repo root in a single contents
- * call. Failures (missing repo, rate limit, network) surface as
- * `undefined` so the score function falls back to its strict default.
+ * call. Non-fatal failures (missing repo, 5xx, network) surface as
+ * `undefined` so the score function falls back to its strict default,
+ * with a warning so "couldn't look" is distinguishable from "no test
+ * dir" in logs. Rate-limit / auth errors propagate — swallowing them
+ * here would mask a systemic problem affecting the whole run (#1373).
  */
 async function detectTestInfrastructure(octokit, owner, repo) {
     try {
@@ -29,7 +34,10 @@ async function detectTestInfrastructure(octokit, owner, repo) {
         const TEST_DIR = /^(?:tests?|__tests__|spec)$/i;
         return data.some((entry) => entry.type === 'dir' && TEST_DIR.test(entry.name));
     }
-    catch {
+    catch (err) {
+        if (isRateLimitOrAuthError(err))
+            throw err;
+        warn(MODULE, `test-infrastructure probe for ${owner}/${repo} failed: ${errorMessage(err)}`);
         return undefined;
     }
 }

package/dist/commands/daily-render.d.ts

@@ -15,6 +15,7 @@
  * (daily-logic.test.ts) — pure rendering, easy to assert on string output.
  */
 import type { CapacityAssessment, CommentedIssue, CommentedIssueWithResponse, DailyDigest, MaintainerActionHint } from '../core/types.js';
+import type { AttentionSummary } from '../core/pr-attention.js';
 /**
  * Format a maintainer action hint as a human-readable label.
  */
@@ -24,7 +25,7 @@ export declare function formatActionHint(hint: MaintainerActionHint): string;
  *
  * @returns One-line status string (e.g., "3 Active PRs | 1 needs attention | 2 issue replies")
  */
-export declare function formatBriefSummary(digest: DailyDigest, issueCount: number, issueResponseCount?: number): string;
+export declare function formatBriefSummary(digest: DailyDigest, issueCount: number, issueResponseCount?: number, attention?: Pick<AttentionSummary, 'stuckCI' | 'dormantFollowup'>): string;
 /**
  * Format the full dashboard summary as markdown.
  * Used in JSON output for Claude to display verbatim — includes all PR sections,

package/dist/commands/daily-render.js

@@ -42,10 +42,16 @@ export function formatActionHint(hint) {
  *
  * @returns One-line status string (e.g., "3 Active PRs | 1 needs attention | 2 issue replies")
  */
-export function formatBriefSummary(digest, issueCount, issueResponseCount = 0) {
+export function formatBriefSummary(digest, issueCount, issueResponseCount = 0, attention) {
     const attentionText = issueCount > 0 ? `${issueCount} need${issueCount === 1 ? 's' : ''} attention` : 'all on track';
     const issueReplyText = issueResponseCount > 0 ? ` | ${issueResponseCount} issue repl${issueResponseCount === 1 ? 'y' : 'ies'}` : '';
-    return `\u{1F4CA} ${digest.summary.totalActivePRs} Active PRs | ${attentionText}${issueReplyText}`;
+    // #1352: the watch-style buckets are appended only when non-zero — they're
+    // ping/nudge workflows, not part of the headline "need attention" count.
+    const stuckText = attention && attention.stuckCI > 0 ? ` | ${attention.stuckCI} stuck CI` : '';
+    const dormantText = attention && attention.dormantFollowup > 0
+        ? ` | ${attention.dormantFollowup} dormant follow-up${attention.dormantFollowup === 1 ? '' : 's'}`
+        : '';
+    return `\u{1F4CA} ${digest.summary.totalActivePRs} Active PRs | ${attentionText}${issueReplyText}${stuckText}${dormantText}`;
 }
 /**
  * Format the full dashboard summary as markdown.

package/dist/commands/daily.d.ts

@@ -6,7 +6,7 @@
  * Domain logic lives in src/core/daily-logic.ts; this file is a thin
  * orchestration layer that wires up the phases and handles I/O.
  */
-import { type DailyDigest, type CommentedIssue, type PRCheckFailure, type RepoGroup } from '../core/index.js';
+import { type AttentionSummary, type DailyDigest, type CommentedIssue, type PRCheckFailure, type RepoGroup } from '../core/index.js';
 import { type StrategyResult } from '../core/strategy.js';
 import { type DailyOutput, type DailyWarning, type CapacityAssessment, type ActionableIssue, type ActionMenu } from '../formatters/json.js';
 export { applyStatusOverrides, computeRepoSignals, groupPRsByRepo, assessCapacity, collectActionableIssues, computeActionMenu, toShelvedPRRef, formatBriefSummary, formatSummary, printDigest, CRITICAL_STATUSES, } from '../core/index.js';
@@ -23,6 +23,8 @@ export interface DailyCheckResult {
     summary: string;
     briefSummary: string;
     actionableIssues: ActionableIssue[];
+    /** Unified attention-bucket counts over active PRs (#1352). */
+    attention: AttentionSummary;
     actionMenu: ActionMenu;
     commentedIssues: CommentedIssue[];
     repoGroups: RepoGroup[];

package/dist/commands/daily.js

@@ -6,8 +6,9 @@
  * Domain logic lives in src/core/daily-logic.ts; this file is a thin
  * orchestration layer that wires up the phases and handles I/O.
  */
-import { getStateManager, PRMonitor, IssueConversationMonitor, requireGitHubToken, CRITICAL_STATUSES, applyStatusOverrides, computeRepoSignals, groupPRsByRepo, assessCapacity, collectActionableIssues, computeActionMenu, toShelvedPRRef, formatBriefSummary, formatSummary, } from '../core/index.js';
+import { getStateManager, PRMonitor, IssueConversationMonitor, requireGitHubToken, CRITICAL_STATUSES, applyStatusOverrides, computeRepoSignals, groupPRsByRepo, assessCapacity, collectActionableIssues, computeActionMenu, toShelvedPRRef, formatBriefSummary, formatSummary, summarizeAttentionBuckets, } from '../core/index.js';
 import { errorMessage, isRateLimitOrAuthError } from '../core/errors.js';
+import { wrapUntrustedContent } from '../core/untrusted-content.js';
 import { computeStrategy, shouldComputeStrategy } from '../core/strategy.js';
 import { warn } from '../core/logger.js';
 import { emptyPRCountsResult } from '../core/github-stats.js';
@@ -419,7 +420,10 @@ function generateDigestOutput(digest, activePRs, shelvedPRs, commentedIssues, fa
     // Auto-undismiss mutations are auto-saved by undismissIssue()
     const actionableIssues = collectActionableIssues(activePRs, previousLastDigestAt);
     digest.summary.totalNeedingAttention = actionableIssues.length;
-    const briefSummary = formatBriefSummary(digest, actionableIssues.length, issueResponses.length);
+    // #1352: one classifier for all attention surfaces — the dashboard stamps
+    // the same buckets per-PR, so the headline counts cannot diverge.
+    const attention = summarizeAttentionBuckets(activePRs);
+    const briefSummary = formatBriefSummary(digest, actionableIssues.length, issueResponses.length, attention);
     const actionMenu = computeActionMenu(actionableIssues, capacity, filteredCommentedIssues);
     const repoGroups = groupPRsByRepo(activePRs);
     // Periodic strategy snapshot (#1270 Step 2). Cadence-gated to fire every
@@ -446,6 +450,7 @@ function generateDigestOutput(digest, activePRs, shelvedPRs, commentedIssues, fa
         summary,
         briefSummary,
         actionableIssues,
+        attention,
         actionMenu,
         commentedIssues: filteredCommentedIssues,
         repoGroups,
@@ -457,6 +462,35 @@ function generateDigestOutput(digest, activePRs, shelvedPRs, commentedIssues, fa
 // ---------------------------------------------------------------------------
 // Public API
 // ---------------------------------------------------------------------------
+/**
+ * Fence the GitHub-sourced comment excerpts in a CommentedIssue for
+ * agent-facing JSON (#1372). This happens HERE — not in
+ * `issue-conversation.ts` — because the producer's objects also feed the
+ * dashboard SPA and the CLI text renderers (`daily-render.ts`), which must
+ * not display raw fence tags, and the producer's internal classification
+ * (acknowledgment / @mention matching) string-matches on raw bodies.
+ *
+ * `userLastCommentBody` is fenced too: it is the user's own comment, but
+ * repo maintainers can edit any comment in their repos, so it is still
+ * GitHub-controlled text by the time we re-fetch it.
+ */
+function fenceCommentedIssue(issue) {
+    const label = `${issue.repo}#${issue.number}`;
+    if (issue.status === 'new_response') {
+        return {
+            ...issue,
+            userLastCommentBody: wrapUntrustedContent(issue.userLastCommentBody, label, { source: 'issue-comment' }),
+            lastResponseBody: wrapUntrustedContent(issue.lastResponseBody, label, {
+                author: issue.lastResponseAuthor,
+                source: 'issue-comment',
+            }),
+        };
+    }
+    return {
+        ...issue,
+        userLastCommentBody: wrapUntrustedContent(issue.userLastCommentBody, label, { source: 'issue-comment' }),
+    };
+}
 /**
  * Convert a full DailyCheckResult to the compact DailyOutput for JSON serialization (#287).
  * Deduplicates PR objects: category arrays become PR URL references,
@@ -472,8 +506,9 @@ export function toDailyOutput(result) {
         summary: result.summary,
         briefSummary: result.briefSummary,
         actionableIssues: compactActionableIssues(result.actionableIssues),
+        attention: result.attention,
         actionMenu: result.actionMenu,
-        commentedIssues: result.commentedIssues,
+        commentedIssues: result.commentedIssues.map(fenceCommentedIssue),
         repoGroups: compactRepoGroups(result.repoGroups),
         failures: result.failures,
         warnings: result.warnings,
@@ -516,6 +551,13 @@ async function executeDailyCheckInternal(token) {
     if (staleness) {
         warnings.push(buildStalenessWarning(staleness));
     }
+    // Surface a state-load recovery (corrupt state.json restored from backup or
+    // replaced with fresh state) so it's machine-visible, not just stderr (#1371).
+    const loadRecovery = getStateManager().getLoadRecovery();
+    if (loadRecovery) {
+        recordWarning(warnings, 'state-load', 'State file recovery', new Error(`${loadRecovery.reason}; recovered from ${loadRecovery.source}` +
+            (loadRecovery.rejectedPath ? `; rejected file preserved at ${loadRecovery.rejectedPath}` : '')));
+    }
     // Phase 1: Fetch all PR data from GitHub
     const { prs, failures, mergedCounts, closedCounts, monthlyCounts, monthlyClosedCounts, openedFromMerged, openedFromClosed, recentlyClosedPRs, recentlyMergedPRs, commentedIssues, } = await fetchPRData(prMonitor, token, warnings);
     // Phase 2: Update repo scores (signals, star counts, trust sync)
@@ -566,10 +608,18 @@ async function executeDailyCheckInternal(token) {
     // Checkpoint: push state to Gist if in Gist mode.
     // If getStateManagerAsync was not called before this command ran,
     // isGistMode() will be false and checkpoint is correctly skipped.
+    // `warnings` is the same array referenced by `result`, so warnings
+    // recorded here still reach the structured output.
     try {
         const sm = getStateManager();
         if (sm.isGistMode()) {
-            await sm.checkpoint();
+            // checkpoint() resolves false (no throw) when the push failed after
+            // its retry — previously discarded, reporting clean success while
+            // cross-machine state silently drifted (#1370).
+            const pushed = await sm.checkpoint();
+            if (!pushed) {
+                recordWarning(warnings, 'gist-checkpoint', 'Gist checkpoint', new Error('push failed after retry; state not synced to Gist this run'));
+            }
         }
     }
     catch (err) {

package/dist/commands/dashboard-data.d.ts

@@ -67,6 +67,23 @@ export interface ActionRequest {
     target?: 'attention' | 'waiting' | 'shelved' | 'auto';
 }
 export declare function buildDashboardStats(digest: DailyDigest, state: Readonly<AgentState>, storedMergedCount?: number, storedClosedCount?: number): DashboardStats;
+/**
+ * Re-derive `digest.shelvedPRs` and `summary.totalActivePRs` from the CURRENT
+ * `state.config.shelvedPRUrls` so a shelve/unshelve issued from the dashboard
+ * SPA is reflected immediately.
+ *
+ * Why this exists: POST /api/action → runMove only mutates
+ * `state.config.shelvedPRUrls`; it never touches the cached digest.
+ * buildDashboardJson derives both `shelvedPRUrls` and `stats.shelvedPRs` from
+ * `digest.shelvedPRs`, so without this reconciliation a dashboard shelve/unshelve
+ * appears to do nothing until the next full /api/refresh rebuilds the digest.
+ *
+ * Baked shelved entries that are NOT among the current open PRs (the daily-check
+ * dormant partition, #981) are preserved as-is — the SPA cannot act on those —
+ * while explicit shelve/unshelve of open PRs and the dormant-auto-shelve rule
+ * are honored.
+ */
+export declare function reconcileShelvePartition(digest: DailyDigest, state: Readonly<AgentState>): void;
 /**
  * Merge fresh API counts into existing stored counts.
  * Months present in the fresh data are updated; months only in the existing data are preserved.

package/dist/commands/dashboard-data.js

@@ -3,7 +3,7 @@
  * Handles GitHub API calls, PR grouping, stats computation, and monthly chart data.
  * Consumed by the dashboard HTTP server (dashboard-server.ts) for the SPA API.
  */
-import { getStateManager, PRMonitor, IssueConversationMonitor, getOctokit } from '../core/index.js';
+import { getStateManager, PRMonitor, IssueConversationMonitor, getOctokit, CRITICAL_STATUSES } from '../core/index.js';
 import { errorMessage, isRateLimitOrAuthError } from '../core/errors.js';
 import { warn } from '../core/logger.js';
 import { emptyPRCountsResult, fetchMergedPRsSince, fetchClosedPRsSince } from '../core/github-stats.js';
@@ -35,6 +35,62 @@ export function buildDashboardStats(digest, state, storedMergedCount, storedClos
         mergeRate: `${(summary.mergeRate ?? 0).toFixed(1)}%`,
     };
 }
+/**
+ * A PR is shelved for display when the user explicitly shelved it, or the
+ * dormant-auto-shelve rule applies (dormant + not needing attention). Mirrors
+ * the partition built in fetchDashboardData (see the `freshShelved` filter).
+ *
+ * #1352: an explicitly shelved PR that turns critical is NOT shelved for
+ * display — the daily check auto-unshelves it (`CRITICAL_STATUSES`), so the
+ * dashboard must agree immediately rather than diverging from the CLI's
+ * headline count until the next daily run.
+ */
+function isShelvedForDisplay(pr, explicitlyShelved) {
+    if (CRITICAL_STATUSES.has(pr.status))
+        return false;
+    return explicitlyShelved.has(pr.url) || pr.stalenessTier === 'dormant';
+}
+/**
+ * Re-derive `digest.shelvedPRs` and `summary.totalActivePRs` from the CURRENT
+ * `state.config.shelvedPRUrls` so a shelve/unshelve issued from the dashboard
+ * SPA is reflected immediately.
+ *
+ * Why this exists: POST /api/action → runMove only mutates
+ * `state.config.shelvedPRUrls`; it never touches the cached digest.
+ * buildDashboardJson derives both `shelvedPRUrls` and `stats.shelvedPRs` from
+ * `digest.shelvedPRs`, so without this reconciliation a dashboard shelve/unshelve
+ * appears to do nothing until the next full /api/refresh rebuilds the digest.
+ *
+ * Baked shelved entries that are NOT among the current open PRs (the daily-check
+ * dormant partition, #981) are preserved as-is — the SPA cannot act on those —
+ * while explicit shelve/unshelve of open PRs and the dormant-auto-shelve rule
+ * are honored.
+ */
+export function reconcileShelvePartition(digest, state) {
+    const openPRs = (digest.openPRs || []);
+    const openByUrl = new Map(openPRs.map((pr) => [pr.url, pr]));
+    const explicitlyShelved = new Set(state.config.shelvedPRUrls || []);
+    // Keep baked entries that are either off the open-PR list (daily dormant
+    // partition we can't recompute here) or still shelved under current state.
+    const reconciled = (digest.shelvedPRs || []).filter((ref) => {
+        const pr = openByUrl.get(ref.url);
+        return !pr || isShelvedForDisplay(pr, explicitlyShelved);
+    });
+    // Add open PRs that became shelved but aren't represented in the baked list yet.
+    const present = new Set(reconciled.map((ref) => ref.url));
+    for (const pr of openPRs) {
+        if (!present.has(pr.url) && isShelvedForDisplay(pr, explicitlyShelved)) {
+            reconciled.push(toShelvedPRRef(pr));
+        }
+    }
+    digest.shelvedPRs = reconciled;
+    // Only re-derive the active count when we actually have the open-PR list;
+    // some digests carry an authoritative summary with an empty openPRs fixture.
+    if (openPRs.length > 0) {
+        const shelvedOpen = reconciled.filter((ref) => openByUrl.has(ref.url)).length;
+        digest.summary.totalActivePRs = openPRs.length - shelvedOpen;
+    }
+}
 /**
  * Merge fresh API counts into existing stored counts.
  * Months present in the fresh data are updated; months only in the existing data are preserved.
@@ -205,10 +261,12 @@ export async function fetchDashboardData(token) {
             const { monthlyCounts: monthlyClosedCounts, monthlyOpenedCounts: openedFromClosed } = closedResult;
             updateMonthlyAnalytics(prs, monthlyCounts, monthlyClosedCounts, openedFromMerged, openedFromClosed);
             const digest = prMonitor.generateDigest(prs, recentlyClosedPRs, recentlyMergedPRs);
-            // Apply shelve partitioning for display (auto-unshelve only runs in daily check)
-            // Dormant PRs are treated as shelved unless they need addressing
+            // Apply shelve partitioning for display (auto-unshelve only runs in daily check).
+            // Dormant PRs are treated as shelved unless they need addressing, and a
+            // critical PR is never display-shelved (#1352) — mirrors the daily
+            // check's CRITICAL_STATUSES auto-unshelve so headline counts agree.
             const shelvedUrls = new Set(stateManager.getState().config.shelvedPRUrls || []);
-            const freshShelved = prs.filter((pr) => shelvedUrls.has(pr.url) || (pr.stalenessTier === 'dormant' && pr.status !== 'needs_addressing'));
+            const freshShelved = prs.filter((pr) => !CRITICAL_STATUSES.has(pr.status) && (shelvedUrls.has(pr.url) || pr.stalenessTier === 'dormant'));
             digest.shelvedPRs = freshShelved.map(toShelvedPRRef);
             digest.autoUnshelvedPRs = [];
             digest.summary.totalActivePRs = prs.length - freshShelved.length;

package/dist/commands/dashboard-server.js

@@ -9,11 +9,11 @@ import * as http from 'node:http';
 import * as fs from 'node:fs';
 import * as path from 'node:path';
 import * as crypto from 'node:crypto';
-import { getStateManager, getGitHubToken, getCLIVersion, applyStatusOverrides } from '../core/index.js';
-import { errorMessage, ValidationError } from '../core/errors.js';
+import { getStateManager, getGitHubToken, getCLIVersion, applyStatusOverrides, classifyAttentionBucket, } from '../core/index.js';
+import { errorMessage, ValidationError, ConcurrencyError, GistConcurrencyError } from '../core/errors.js';
 import { warn } from '../core/logger.js';
 import { validateUrl, validateGitHubUrl, PR_URL_PATTERN, ISSUE_URL_PATTERN } from './validation.js';
-import { fetchDashboardData, computePRsByRepo, computeTopRepos, getMonthlyData, buildDashboardStats, storedToMergedPRs, storedToClosedPRs, } from './dashboard-data.js';
+import { fetchDashboardData, computePRsByRepo, computeTopRepos, getMonthlyData, buildDashboardStats, reconcileShelvePartition, storedToMergedPRs, storedToClosedPRs, } from './dashboard-data.js';
 import { openInBrowser, detectIssueList } from './startup.js';
 import { parseIssueList } from './parse-list.js';
 import { writeDashboardServerInfo, removeDashboardServerInfo } from './dashboard-process.js';
@@ -75,6 +75,11 @@ function getIssueListMtimeMs() {
  * start-up, so tests that need a specific digest should call this directly).
  */
 export function buildDashboardJson(digest, state, commentedIssues, allMergedPRs, allClosedPRs, partialFailures) {
+    // Re-derive the shelve partition from the CURRENT state before reading it.
+    // The POST /api/action path rebuilds with a cached digest whose shelvedPRs
+    // predates the shelve/unshelve, so without this the SPA action appears to do
+    // nothing until the next full /api/refresh.
+    reconcileShelvePartition(digest, state);
     const prsByRepo = computePRsByRepo(digest, state);
     const topRepos = computeTopRepos(prsByRepo);
     const { monthlyMerged, monthlyOpened, monthlyClosed } = getMonthlyData(state);
@@ -108,7 +113,12 @@ export function buildDashboardJson(digest, state, commentedIssues, allMergedPRs,
         monthlyMerged,
         monthlyOpened,
         monthlyClosed,
-        activePRs: applyStatusOverrides(digest.openPRs || [], state),
+        // #1352: stamp the unified attention bucket so the SPA renders the same
+        // taxonomy the CLI brief counts (single classifier, no second opinion).
+        activePRs: applyStatusOverrides(digest.openPRs || [], state).map((pr) => ({
+            ...pr,
+            attentionBucket: classifyAttentionBucket(pr),
+        })),
         // Source of truth is digest.shelvedPRs (union of explicitly-shelved URLs
         // and dormant-non-addressing PRs auto-shelved for display). Returning
         // only state.config.shelvedPRUrls would under-count and desync from
@@ -240,6 +250,27 @@ function sendJson(res, statusCode, data) {
 function sendError(res, statusCode, message) {
     sendJson(res, statusCode, { error: message });
 }
+/**
+ * True when an error is an optimistic-concurrency conflict on state.json
+ * (local mtime CAS) or the state Gist (ETag CAS). Both carry the
+ * CONCURRENCY_ERROR code and the same recovery contract: reload, re-apply,
+ * save. See state-concurrency.test.ts (#1378) and errors.ts.
+ */
+function isConcurrencyConflict(error) {
+    return error instanceof ConcurrencyError || error instanceof GistConcurrencyError;
+}
+/**
+ * Send the machine-readable 409 for a concurrency conflict (#1397).
+ * `retryable: true` tells the SPA it can re-prime via GET /api/data and
+ * retry the POST; `code` matches the structured code on ConcurrencyError.
+ */
+function sendConflict(res) {
+    sendJson(res, 409, {
+        error: 'Another process wrote state concurrently — retry the request',
+        code: 'CONCURRENCY_ERROR',
+        retryable: true,
+    });
+}
 // ── Server ─────────────────────────────────────────────────────────────────────
 export async function startDashboardServer(options) {
     const { port: requestedPort, assetsDir, token, open } = options;
@@ -398,14 +429,16 @@ export async function startDashboardServer(options) {
     });
     server.requestTimeout = REQUEST_TIMEOUT_MS;
     // ── POST /api/action handler ─────────────────────────────────────────────
-    async function handleAction(req, res) {
-        // Reload state before mutating to avoid overwriting external CLI changes
+    /** Re-read state written by external processes (CLI) before mutating. */
+    async function reloadState() {
         if (stateManager.isGistMode()) {
             await stateManager.refreshFromGist();
         }
         else {
             stateManager.reloadIfChanged();
         }
+    }
+    async function handleAction(req, res) {
         let body;
         try {
             const raw = await readBody(req);
@@ -440,24 +473,62 @@ export async function startDashboardServer(options) {
             }
             return;
         }
-        try {
-            if (body.action === 'move') {
-                const { VALID_TARGETS, runMove } = await import('./move.js');
-                if (!body.target || !VALID_TARGETS.includes(body.target)) {
-                    sendError(res, 400, `move requires a valid "target" field (${VALID_TARGETS.join(', ')})`);
-                    return;
-                }
-                await runMove({ prUrl: body.url, target: body.target });
+        // Resolve the mutation up-front so target validation happens before the
+        // state reload — keeps the reload-to-save freshness window minimal.
+        let applyMutation;
+        if (body.action === 'move') {
+            const { VALID_TARGETS, runMove } = await import('./move.js');
+            if (!body.target || !VALID_TARGETS.includes(body.target)) {
+                sendError(res, 400, `move requires a valid "target" field (${VALID_TARGETS.join(', ')})`);
+                return;
             }
-            else {
-                // dismiss_issue_response
+            const target = body.target;
+            applyMutation = async () => {
+                await runMove({ prUrl: body.url, target });
+            };
+        }
+        else {
+            // dismiss_issue_response
+            applyMutation = () => {
                 stateManager.dismissIssue(body.url, new Date().toISOString());
-            }
+            };
+        }
+        // Reload state before mutating to avoid overwriting external CLI changes.
+        // Runs AFTER body parsing/validation (which only inspects the request,
+        // never the loaded state) so the read-modify-write window excludes the
+        // body-streaming time (#1397).
+        await reloadState();
+        try {
+            await applyMutation();
         }
         catch (error) {
-            warn(MODULE, `Action failed: ${body.action} ${body.url} ${errorMessage(error)}`);
-            sendError(res, 500, 'Action failed');
-            return;
+            if (!isConcurrencyConflict(error)) {
+                warn(MODULE, `Action failed: ${body.action} ${body.url} ${errorMessage(error)}`);
+                sendError(res, 500, 'Action failed');
+                return;
+            }
+            // Concurrency conflict: an external write landed between our reload and
+            // save. Decision (#1397): retry ONCE server-side instead of bouncing the
+            // first conflict to the client. Both mutations (move targets, dismiss)
+            // are absolute set operations, so re-applying them on a freshly reloaded
+            // baseline is safe — exactly the reload-reapply recovery contract pinned
+            // in state-concurrency.test.ts. A second consecutive conflict means
+            // sustained contention; surface it as a retryable 409 and let the SPA
+            // re-prime and retry.
+            try {
+                await reloadState();
+                await applyMutation();
+            }
+            catch (retryError) {
+                if (isConcurrencyConflict(retryError)) {
+                    warn(MODULE, `Action conflicted twice: ${body.action} ${body.url} ${errorMessage(retryError)}`);
+                    sendConflict(res);
+                    return;
+                }
+                warn(MODULE, `Action failed on conflict retry: ${body.action} ${body.url} ${errorMessage(retryError)}`);
+                sendError(res, 500, 'Action failed');
+                return;
+            }
         }
         // Rebuild dashboard data from cached digest + updated state. Persist
         // the last-known partialFailures across action rebuilds (#1035) so the
@@ -475,12 +546,7 @@ export async function startDashboardServer(options) {
             return;
         }
         try {
-            if (stateManager.isGistMode()) {
-                await stateManager.refreshFromGist();
-            }
-            else {
-                stateManager.reloadIfChanged();
-            }
+            await reloadState();
             warn(MODULE, 'Refreshing dashboard data from GitHub...');
             const result = await fetchDashboardData(currentToken);
             cachedDigest = result.digest;
@@ -493,6 +559,14 @@ export async function startDashboardServer(options) {
             sendJson(res, 200, cachedJsonData);
         }
         catch (error) {
+            // No server-side retry here (unlike handleAction): a refresh re-run is a
+            // full GitHub fetch — expensive and rate-limited. The 409 is retryable
+            // by the client, which re-POSTs /api/refresh on its own schedule (#1397).
+            if (isConcurrencyConflict(error)) {
+                warn(MODULE, `Dashboard refresh hit a concurrent state write: ${errorMessage(error)}`);
+                sendConflict(res);
+                return;
+            }
             warn(MODULE, `Dashboard refresh failed: ${errorMessage(error)}`);
             sendError(res, 500, 'Refresh failed');
         }