@oss-autopilot/core 3.11.0 → 3.12.0

package/dist/core/issue-verification.js

@@ -0,0 +1,270 @@
+/**
+ * Deterministic issue verification (#1353, #1354).
+ *
+ * One GraphQL round-trip answers the two questions the issue-scout agent
+ * historically hallucinated: "is this issue actually open?" and "is it
+ * actually taken?". The query fetches the issue's `state`/`stateReason`,
+ * its assignees, every cross-referenced PR with `closingIssuesReferences`,
+ * and `viewer.login` — so "is this my PR?" is derived from the same token
+ * that fetched the data instead of a cached username.
+ *
+ * Classification is a pure function (`classifyIssueAvailability`) so the
+ * verdict rules are unit-testable without network access. The distinction
+ * that matters (#1353): a PR whose `closingIssuesReferences` includes this
+ * issue is a real claim (`closing`); a PR that merely mentions the issue in
+ * its timeline is just a mention (`cross-referenced`) and must not drive a
+ * "Taken" verdict.
+ */
+import { ValidationError } from './errors.js';
+function isSameLogin(a, b) {
+    return a !== null && a !== '' && b !== '' && a.toLowerCase() === b.toLowerCase();
+}
+/**
+ * Compute the availability verdict from fetched facts. Rules in priority
+ * order; the first match wins.
+ */
+export function classifyIssueAvailability(input) {
+    const { state, stateReason, assignees, linkedPRs, userLogin } = input;
+    if (state === 'closed') {
+        const reason = stateReason ?? 'unknown';
+        return {
+            verdict: 'closed',
+            verdictReason: reason === 'not_planned'
+                ? 'issue closed as not planned — drop it permanently'
+                : `issue closed (${reason}) — mark it done upstream`,
+        };
+    }
+    const closingPRs = linkedPRs.filter((pr) => pr.linkType === 'closing');
+    const ownOpenClaim = closingPRs.find((pr) => pr.state === 'open' && pr.isOwn);
+    if (ownOpenClaim) {
+        return {
+            verdict: 'own-open-pr',
+            verdictReason: `you already have an open PR for this issue: ${ownOpenClaim.url}`,
+        };
+    }
+    const otherOpenClaim = closingPRs.find((pr) => pr.state === 'open' && !pr.isOwn);
+    if (otherOpenClaim) {
+        return {
+            verdict: 'taken',
+            verdictReason: `open PR by ${otherOpenClaim.author ?? 'unknown author'} closes this issue: ${otherOpenClaim.url}`,
+        };
+    }
+    const otherAssignees = assignees.filter((login) => !isSameLogin(login, userLogin));
+    if (otherAssignees.length > 0) {
+        return {
+            verdict: 'taken',
+            verdictReason: `assigned to ${otherAssignees.join(', ')}`,
+        };
+    }
+    const mergedClaim = closingPRs.find((pr) => pr.state === 'merged');
+    if (mergedClaim) {
+        return {
+            verdict: 'at-risk',
+            verdictReason: `a merged PR closes this issue (${mergedClaim.url}) — likely resolved, awaiting issue close`,
+        };
+    }
+    const openMention = linkedPRs.find((pr) => pr.linkType === 'cross-referenced' && pr.state === 'open');
+    if (openMention) {
+        return {
+            verdict: 'at-risk',
+            verdictReason: `open PR ${openMention.url} cross-references this issue (mention only, not a claim) — ` +
+                'risk of being superseded by broader work',
+        };
+    }
+    // Self-assignment was filtered out above — don't claim "unassigned" then.
+    const selfAssigned = assignees.length > 0;
+    return {
+        verdict: 'available',
+        verdictReason: selfAssigned ? 'open, assigned to you, no claiming PRs' : 'open, unassigned, no claiming PRs',
+    };
+}
+// ── GraphQL fetch ──────────────────────────────────────────────────────
+const VERIFY_ISSUE_QUERY = /* GraphQL */ `
+  query VerifyIssue($owner: String!, $repo: String!, $number: Int!, $after: String) {
+    viewer {
+      login
+    }
+    repository(owner: $owner, name: $repo) {
+      issue(number: $number) {
+        number
+        title
+        url
+        state
+        stateReason
+        closedAt
+        assignees(first: 10) {
+          nodes {
+            login
+          }
+        }
+        timelineItems(itemTypes: [CROSS_REFERENCED_EVENT], first: 100, after: $after) {
+          pageInfo {
+            hasNextPage
+            endCursor
+          }
+          nodes {
+            ... on CrossReferencedEvent {
+              source {
+                ... on PullRequest {
+                  number
+                  url
+                  title
+                  state
+                  isDraft
+                  updatedAt
+                  author {
+                    login
+                  }
+                  closingIssuesReferences(first: 50) {
+                    nodes {
+                      number
+                      repository {
+                        nameWithOwner
+                      }
+                    }
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+`;
+/**
+ * Fetch + classify in one GraphQL round-trip.
+ *
+ * Throws `ValidationError` when the issue does not exist (or the URL points
+ * at a PR — GitHub's `issue()` resolver returns null for PR numbers).
+ * GraphQL/network/rate-limit errors propagate to the caller; nothing is
+ * swallowed into a degraded verdict.
+ */
+/** True when a GraphQL error response is purely "the repo/issue we asked for
+ * doesn't exist" — a caller-input problem, not an API failure. Requires every
+ * error to be NOT_FOUND *and* rooted at the repository/issue path: a nested
+ * NOT_FOUND (e.g. a cross-referenced source in a deleted repo) must not be
+ * misdiagnosed as "issue not found". Duck-typed so we don't import octokit's
+ * GraphqlResponseError class just for instanceof. */
+function isGraphqlNotFound(error) {
+    const errors = error?.errors;
+    if (!Array.isArray(errors) || errors.length === 0)
+        return false;
+    return errors.every((e) => {
+        if (e?.type !== 'NOT_FOUND')
+            return false;
+        const path = Array.isArray(e.path) ? e.path : [];
+        return path.length <= 2 && (path.length === 0 || (path[0] === 'repository' && (path[1] ?? 'issue') === 'issue'));
+    });
+}
+/**
+ * Hard ceiling on timeline pages (100 events each). Timeline events arrive
+ * oldest-first, so silently stopping early would drop the NEWEST events —
+ * exactly the ones most likely to be the active claiming PR. Past the cap we
+ * fail loudly instead of returning a possibly-false `available`.
+ */
+const MAX_TIMELINE_PAGES = 20;
+export async function fetchIssueVerification(octokit, params) {
+    const { owner, repo, number } = params;
+    let issue;
+    let userLogin;
+    const timelineNodes = [];
+    let after = null;
+    for (let page = 0;; page++) {
+        if (page >= MAX_TIMELINE_PAGES) {
+            throw new Error(`Issue ${owner}/${repo}#${number} has more than ${MAX_TIMELINE_PAGES * 100} cross-reference events; ` +
+                'refusing to verify on a truncated timeline. Check the issue manually.');
+        }
+        let response;
+        try {
+            response = await octokit.graphql(VERIFY_ISSUE_QUERY, {
+                owner,
+                repo,
+                number,
+                after,
+            });
+        }
+        catch (error) {
+            // GitHub reports a missing repo/issue as a NOT_FOUND GraphQL error (the
+            // client throws before our null check below can run). Surface it as the
+            // same ValidationError; everything else (rate limits, network, auth)
+            // propagates untouched.
+            if (isGraphqlNotFound(error)) {
+                throw new ValidationError(`Issue not found: ${owner}/${repo}#${number}. ` +
+                    'Check the URL — it may point at a pull request or a deleted/private issue.');
+            }
+            throw error;
+        }
+        const pageIssue = response.repository?.issue;
+        if (!pageIssue) {
+            throw new ValidationError(`Issue not found: ${owner}/${repo}#${number}. ` +
+                'Check the URL — it may point at a pull request or a deleted/private issue.');
+        }
+        issue ??= pageIssue;
+        userLogin = response.viewer.login;
+        timelineNodes.push(...pageIssue.timelineItems.nodes);
+        const pageInfo = pageIssue.timelineItems.pageInfo;
+        if (!pageInfo?.hasNextPage)
+            break;
+        after = pageInfo.endCursor;
+    }
+    // The loop above either assigns both then breaks, or throws.
+    if (!issue || userLogin === undefined) {
+        throw new Error('unreachable: timeline pagination exited without an issue');
+    }
+    const issueRepo = `${owner}/${repo}`.toLowerCase();
+    const linkedPRs = [];
+    const seenUrls = new Set();
+    for (const node of timelineNodes) {
+        const source = node?.source;
+        // CrossReferencedEvent sources can be issues too; PRs are the ones that
+        // carry a `state` from the inline fragment. Skip everything else.
+        if (!source || typeof source.number !== 'number' || !source.url || !source.state)
+            continue;
+        if (seenUrls.has(source.url))
+            continue;
+        seenUrls.add(source.url);
+        // A "closing" link must name THIS issue in THIS repo — closing references
+        // to same-numbered issues in other repos don't count. Deliberate cap:
+        // `closingIssuesReferences(first: 50)` — a PR closing 50+ issues is
+        // pathological; its claim on this one would downgrade to a mention.
+        const closesThisIssue = (source.closingIssuesReferences?.nodes ?? []).some((ref) => ref !== null && ref.number === number && ref.repository.nameWithOwner.toLowerCase() === issueRepo);
+        const author = source.author?.login ?? null;
+        linkedPRs.push({
+            number: source.number,
+            url: source.url,
+            title: source.title ?? '',
+            state: source.state.toLowerCase(),
+            isDraft: source.isDraft ?? false,
+            author,
+            isOwn: isSameLogin(author, userLogin),
+            linkType: closesThisIssue ? 'closing' : 'cross-referenced',
+            updatedAt: source.updatedAt ?? null,
+        });
+    }
+    const state = issue.state.toLowerCase();
+    const stateReason = (issue.stateReason?.toLowerCase() ?? null);
+    const assignees = issue.assignees.nodes.flatMap((n) => (n ? [n.login] : []));
+    const { verdict, verdictReason } = classifyIssueAvailability({
+        state,
+        stateReason,
+        assignees,
+        linkedPRs,
+        userLogin,
+    });
+    return {
+        url: issue.url,
+        owner,
+        repo,
+        number: issue.number,
+        title: issue.title,
+        state,
+        stateReason,
+        closedAt: issue.closedAt,
+        assignees,
+        linkedPRs,
+        verdict,
+        verdictReason,
+        userLogin,
+    };
+}

package/dist/core/pr-attention.d.ts

@@ -0,0 +1,52 @@
+/**
+ * Unified PR attention taxonomy (#1352).
+ *
+ * The headline "needs attention" number used to be computed twice — the CLI
+ * brief counted `collectActionableIssues()` output while the dashboard
+ * counted raw `status === 'needs_addressing'` — and the cases the CLI
+ * deliberately excludes (stuck CI, dormant maintainer waits) sat
+ * undifferentiated inside `waiting_on_maintainer`. This module is the single
+ * classifier both surfaces consume.
+ *
+ * Buckets (mutually exclusive, first match wins):
+ * - `needs_attention` — the contributor has a concrete code-related next
+ *   step today (`status === 'needs_addressing'`: response, changes, CI fix,
+ *   conflict, checklist). This is the headline count on BOTH surfaces.
+ * - `stuck_ci` — waiting PRs whose CI has been `pending` long past any
+ *   normal run time. A "ping / investigate" workflow, not a coding one.
+ * - `dormant_followup` — waiting PRs with `review_required` and no activity
+ *   past the follow-up threshold. A "draft a nudge" workflow.
+ * - `waiting` — everything else that's healthy to leave alone.
+ */
+import type { AttentionBucket, FetchedPR } from './types.js';
+export type { AttentionBucket } from './types.js';
+/**
+ * Days of inactivity after which a `pending` CI status reads as stuck rather
+ * than in-flight. Real CI runs finish in minutes-to-hours; multiple days of
+ * `pending` means a webhook was lost, a runner died, or a required check
+ * never started.
+ */
+export declare const STUCK_CI_THRESHOLD_DAYS = 3;
+/**
+ * Days of inactivity after which a `review_required` PR becomes a follow-up
+ * candidate. Matches the middle step of the 7/14/30 dormant-PR follow-up
+ * cadence — early enough to nudge before the PR goes fully dormant
+ * (default `dormantThresholdDays` is 30).
+ */
+export declare const DORMANT_FOLLOWUP_THRESHOLD_DAYS = 14;
+/** The minimal slice of {@link FetchedPR} the classifier reads. */
+export type AttentionInput = Pick<FetchedPR, 'status' | 'ciStatus' | 'reviewDecision' | 'daysSinceActivity'>;
+/**
+ * Classify one PR into its attention bucket. Pure — both the CLI daily path
+ * and the dashboard `/api/data` path call this, so the two surfaces cannot
+ * diverge on what a count means.
+ */
+export declare function classifyAttentionBucket(pr: AttentionInput): AttentionBucket;
+export interface AttentionSummary {
+    needsAttention: number;
+    stuckCI: number;
+    dormantFollowup: number;
+    waiting: number;
+}
+/** Count PRs per bucket — the shape both headline surfaces render from. */
+export declare function summarizeAttentionBuckets(prs: readonly AttentionInput[]): AttentionSummary;

package/dist/core/pr-attention.js

@@ -0,0 +1,76 @@
+/**
+ * Unified PR attention taxonomy (#1352).
+ *
+ * The headline "needs attention" number used to be computed twice — the CLI
+ * brief counted `collectActionableIssues()` output while the dashboard
+ * counted raw `status === 'needs_addressing'` — and the cases the CLI
+ * deliberately excludes (stuck CI, dormant maintainer waits) sat
+ * undifferentiated inside `waiting_on_maintainer`. This module is the single
+ * classifier both surfaces consume.
+ *
+ * Buckets (mutually exclusive, first match wins):
+ * - `needs_attention` — the contributor has a concrete code-related next
+ *   step today (`status === 'needs_addressing'`: response, changes, CI fix,
+ *   conflict, checklist). This is the headline count on BOTH surfaces.
+ * - `stuck_ci` — waiting PRs whose CI has been `pending` long past any
+ *   normal run time. A "ping / investigate" workflow, not a coding one.
+ * - `dormant_followup` — waiting PRs with `review_required` and no activity
+ *   past the follow-up threshold. A "draft a nudge" workflow.
+ * - `waiting` — everything else that's healthy to leave alone.
+ */
+/**
+ * Days of inactivity after which a `pending` CI status reads as stuck rather
+ * than in-flight. Real CI runs finish in minutes-to-hours; multiple days of
+ * `pending` means a webhook was lost, a runner died, or a required check
+ * never started.
+ */
+export const STUCK_CI_THRESHOLD_DAYS = 3;
+/**
+ * Days of inactivity after which a `review_required` PR becomes a follow-up
+ * candidate. Matches the middle step of the 7/14/30 dormant-PR follow-up
+ * cadence — early enough to nudge before the PR goes fully dormant
+ * (default `dormantThresholdDays` is 30).
+ */
+export const DORMANT_FOLLOWUP_THRESHOLD_DAYS = 14;
+/**
+ * Classify one PR into its attention bucket. Pure — both the CLI daily path
+ * and the dashboard `/api/data` path call this, so the two surfaces cannot
+ * diverge on what a count means.
+ */
+export function classifyAttentionBucket(pr) {
+    if (pr.status === 'needs_addressing')
+        return 'needs_attention';
+    // From here on the PR is waiting_on_maintainer — subdivide the wait.
+    if (pr.ciStatus === 'pending' && pr.daysSinceActivity >= STUCK_CI_THRESHOLD_DAYS) {
+        return 'stuck_ci';
+    }
+    if (pr.reviewDecision === 'review_required' && pr.daysSinceActivity >= DORMANT_FOLLOWUP_THRESHOLD_DAYS) {
+        return 'dormant_followup';
+    }
+    return 'waiting';
+}
+/** Count PRs per bucket — the shape both headline surfaces render from. */
+export function summarizeAttentionBuckets(prs) {
+    const summary = { needsAttention: 0, stuckCI: 0, dormantFollowup: 0, waiting: 0 };
+    for (const pr of prs) {
+        switch (classifyAttentionBucket(pr)) {
+            case 'needs_attention': {
+                summary.needsAttention++;
+                break;
+            }
+            case 'stuck_ci': {
+                summary.stuckCI++;
+                break;
+            }
+            case 'dormant_followup': {
+                summary.dormantFollowup++;
+                break;
+            }
+            case 'waiting': {
+                summary.waiting++;
+                break;
+            }
+        }
+    }
+    return summary;
+}

package/dist/core/types.d.ts

@@ -126,6 +126,8 @@ export type MaintainerActionHint = 'demo_requested' | 'tests_requested' | 'chang
  * This is never persisted in local state — it represents a point-in-time snapshot
  * of a PR's current condition.
  */
+/** Unified attention bucket (#1352) — see core/pr-attention.ts for the classifier. */
+export type AttentionBucket = 'needs_attention' | 'stuck_ci' | 'dormant_followup' | 'waiting';
 export interface FetchedPR {
     id: number;
     url: string;
@@ -142,6 +144,11 @@ export interface FetchedPR {
     actionReasons?: ActionReason[];
     /** How stale the PR is based on activity age. Independent of status — a PR can be both needs_addressing and dormant. */
     stalenessTier: StalenessTier;
+    /** Unified attention bucket (#1352), computed by `classifyAttentionBucket()`
+     * from status/ciStatus/reviewDecision/daysSinceActivity. Stamped by the
+     * dashboard data path so the SPA renders the same taxonomy the CLI brief
+     * counts. Optional: absent on payloads from older producers. */
+    attentionBucket?: AttentionBucket;
     /** Human-readable status label for consistent display (#79). E.g., "[CI Failing]", "[Needs Response]". */
     displayLabel: string;
     /** Brief description of what's happening (#79). E.g., "3 checks failed", "@maintainer commented". */

package/dist/formatters/json.d.ts

@@ -3,6 +3,7 @@
  * Provides structured output that can be consumed by scripts and plugins
  */
 import { z, type ZodType } from 'zod';
+import type { AttentionSummary } from '../core/pr-attention.js';
 import type { FetchedPR, DailyDigest, AgentState, RepoGroup, CommentedIssue, ShelvedPRRef, SearchPriority, CapacityAssessment, ActionableIssue, ActionableIssueType, CompactActionableIssue, ActionMenuItem, ActionMenu } from '../core/types.js';
 import type { ContributionStats } from '../core/stats.js';
 import type { PRCheckFailure } from '../core/pr-monitor.js';
@@ -87,6 +88,8 @@ export interface DailyOutput {
     summary: string;
     briefSummary: string;
     actionableIssues: CompactActionableIssue[];
+    /** Unified attention-bucket counts (#1352) — same classifier the dashboard stamps per-PR. */
+    attention: AttentionSummary;
     actionMenu: ActionMenu;
     commentedIssues: CommentedIssue[];
     repoGroups: CompactRepoGroup[];
@@ -119,6 +122,8 @@ export interface CompactDailyOutput {
     capacity: CapacityAssessment;
     briefSummary: string;
     actionableIssues: CompactActionableIssue[];
+    /** Unified attention-bucket counts (#1352), retained under --compact. */
+    attention: AttentionSummary;
     actionMenu: ActionMenu;
     commentedIssues: CommentedIssue[];
     /** Number of PRs that failed to fetch. Non-zero indicates partial results. */
@@ -285,6 +290,12 @@ export declare const StrategyOutputSchema: z.ZodObject<{
     message: z.ZodOptional<z.ZodString>;
 }, z.core.$strip>;
 export type StrategyCommandOutput = z.infer<typeof StrategyOutputSchema>;
+export declare const AttentionSummarySchema: z.ZodObject<{
+    needsAttention: z.ZodNumber;
+    stuckCI: z.ZodNumber;
+    dormantFollowup: z.ZodNumber;
+    waiting: z.ZodNumber;
+}, z.core.$strip>;
 export declare const DailyOutputSchema: z.ZodObject<{
     digest: z.ZodObject<{
         generatedAt: z.ZodString;
@@ -348,6 +359,12 @@ export declare const DailyOutputSchema: z.ZodObject<{
         label: z.ZodString;
         isNewContribution: z.ZodBoolean;
     }, z.core.$strip>>;
+    attention: z.ZodObject<{
+        needsAttention: z.ZodNumber;
+        stuckCI: z.ZodNumber;
+        dormantFollowup: z.ZodNumber;
+        waiting: z.ZodNumber;
+    }, z.core.$strip>;
     actionMenu: z.ZodObject<{
         items: z.ZodArray<z.ZodObject<{
             key: z.ZodString;
@@ -493,6 +510,12 @@ export declare const CompactDailyOutputSchema: z.ZodObject<{
         label: z.ZodString;
         isNewContribution: z.ZodBoolean;
     }, z.core.$strip>>;
+    attention: z.ZodObject<{
+        needsAttention: z.ZodNumber;
+        stuckCI: z.ZodNumber;
+        dormantFollowup: z.ZodNumber;
+        waiting: z.ZodNumber;
+    }, z.core.$strip>;
     actionMenu: z.ZodObject<{
         items: z.ZodArray<z.ZodObject<{
             key: z.ZodString;
@@ -628,6 +651,7 @@ export declare const SearchOutputSchema: z.ZodObject<{
     }, z.core.$strip>>;
     excludedRepos: z.ZodArray<z.ZodString>;
     aiPolicyBlocklist: z.ZodArray<z.ZodString>;
+    hiddenOwnPRCount: z.ZodNumber;
     rateLimitWarning: z.ZodOptional<z.ZodString>;
 }, z.core.$strip>;
 export declare const FeaturesOutputSchema: z.ZodObject<{
@@ -784,7 +808,7 @@ export declare const ListMoveTierOutputSchema: z.ZodObject<{
     }>;
     fromTier: z.ZodOptional<z.ZodString>;
     count: z.ZodNumber;
-    reason: z.ZodOptional<z.ZodString>;
+    reason: z.ZodOptional<z.ZodLiteral<"already in target tier">>;
 }, z.core.$strip>;
 export declare const ListMarkDoneOutputSchema: z.ZodObject<{
     marked: z.ZodBoolean;
@@ -794,6 +818,52 @@ export declare const ListMarkDoneOutputSchema: z.ZodObject<{
     remainingUnderRepo: z.ZodNumber;
     reason: z.ZodOptional<z.ZodString>;
 }, z.core.$strip>;
+export declare const VerifyIssueOutputSchema: z.ZodObject<{
+    url: z.ZodString;
+    owner: z.ZodString;
+    repo: z.ZodString;
+    number: z.ZodNumber;
+    title: z.ZodString;
+    state: z.ZodEnum<{
+        closed: "closed";
+        open: "open";
+    }>;
+    stateReason: z.ZodNullable<z.ZodEnum<{
+        completed: "completed";
+        reopened: "reopened";
+        not_planned: "not_planned";
+        duplicate: "duplicate";
+    }>>;
+    closedAt: z.ZodNullable<z.ZodString>;
+    assignees: z.ZodArray<z.ZodString>;
+    linkedPRs: z.ZodArray<z.ZodObject<{
+        number: z.ZodNumber;
+        url: z.ZodString;
+        title: z.ZodString;
+        state: z.ZodEnum<{
+            closed: "closed";
+            open: "open";
+            merged: "merged";
+        }>;
+        isDraft: z.ZodBoolean;
+        author: z.ZodNullable<z.ZodString>;
+        isOwn: z.ZodBoolean;
+        linkType: z.ZodEnum<{
+            closing: "closing";
+            "cross-referenced": "cross-referenced";
+        }>;
+        updatedAt: z.ZodNullable<z.ZodString>;
+    }, z.core.$strip>>;
+    verdict: z.ZodEnum<{
+        closed: "closed";
+        "own-open-pr": "own-open-pr";
+        taken: "taken";
+        "at-risk": "at-risk";
+        available: "available";
+    }>;
+    verdictReason: z.ZodString;
+    userLogin: z.ZodString;
+}, z.core.$strip>;
 export declare const PostOutputSchema: z.ZodObject<{
     commentUrl: z.ZodString;
     url: z.ZodString;
@@ -1152,6 +1222,9 @@ export interface SearchOutput {
     excludedRepos: string[];
     /** Repos with known anti-AI contribution policies, filtered from search results (#108). */
     aiPolicyBlocklist: string[];
+    /** Candidates dropped because the authenticated user already has an open PR
+     * linked to the issue (#1354). Surfaced as a count so the filter is visible. */
+    hiddenOwnPRCount: number;
     /** Present when rate limits affected the search — either low pre-flight quota or mid-search rate limit hits (#100). */
     rateLimitWarning?: string;
 }

package/dist/formatters/json.js

@@ -26,6 +26,7 @@ export function toCompactDailyOutput(output) {
         capacity: output.capacity,
         briefSummary: output.briefSummary,
         actionableIssues: output.actionableIssues,
+        attention: output.attention,
         actionMenu: output.actionMenu,
         commentedIssues: output.commentedIssues,
         failureCount: output.failures.length,
@@ -271,12 +272,19 @@ export const StrategyOutputSchema = z.object({
     strategy: StrategyResultSchema.nullable(),
     message: z.string().optional(),
 });
+export const AttentionSummarySchema = z.object({
+    needsAttention: z.number().int().nonnegative(),
+    stuckCI: z.number().int().nonnegative(),
+    dormantFollowup: z.number().int().nonnegative(),
+    waiting: z.number().int().nonnegative(),
+});
 export const DailyOutputSchema = z.object({
     digest: DailyDigestCompactSchema,
     capacity: CapacityAssessmentSchema,
     summary: z.string(),
     briefSummary: z.string(),
     actionableIssues: z.array(CompactActionableIssueSchema),
+    attention: AttentionSummarySchema,
     actionMenu: ActionMenuSchema,
     commentedIssues: z.array(CommentedIssuePassthroughSchema),
     repoGroups: z.array(CompactRepoGroupSchema),
@@ -289,6 +297,7 @@ export const CompactDailyOutputSchema = z.object({
     capacity: CapacityAssessmentSchema,
     briefSummary: z.string(),
     actionableIssues: z.array(CompactActionableIssueSchema),
+    attention: AttentionSummarySchema,
     actionMenu: ActionMenuSchema,
     commentedIssues: z.array(CommentedIssuePassthroughSchema),
     failureCount: z.number().int().nonnegative(),
@@ -349,6 +358,7 @@ export const SearchOutputSchema = z.object({
     candidates: z.array(SearchCandidateSchema),
     excludedRepos: z.array(z.string()),
     aiPolicyBlocklist: z.array(z.string()),
+    hiddenOwnPRCount: z.number().int().nonnegative(),
     rateLimitWarning: z.string().optional(),
 });
 // ── Features output schema (scout 0.9.0 #97/#98/#99) ─────────────────
@@ -396,7 +406,10 @@ export const ListMoveTierOutputSchema = z.object({
     toTier: z.enum(['pursue', 'maybe', 'skip']),
     fromTier: z.string().optional(),
     count: z.number().int().nonnegative(),
-    reason: z.string().optional(),
+    // #1355: not-found now throws before reaching the success envelope, so the
+    // only reachable no-op reason is the idempotent one. Pinned so a new quiet
+    // no-op path trips the #1105 runtime validator instead of shipping silently.
+    reason: z.literal('already in target tier').optional(),
 });
 // list-mark-done (#1299): mirrors {@link MarkDoneOutput} from the command
 // module. Strict shape — additional keys must be added here AND in the
@@ -410,6 +423,35 @@ export const ListMarkDoneOutputSchema = z.object({
     remainingUnderRepo: z.number().int().nonnegative(),
     reason: z.string().optional(),
 });
+// verify-issue (#1353, #1354): mirrors {@link IssueVerification} from
+// core/issue-verification.ts. Strict shape — additional keys must be added
+// here AND in the module output, otherwise the validator rejects the
+// response before it reaches consumers.
+export const VerifyIssueOutputSchema = z.object({
+    url: z.string(),
+    owner: z.string(),
+    repo: z.string(),
+    number: z.number().int().positive(),
+    title: z.string(),
+    state: z.enum(['open', 'closed']),
+    stateReason: z.enum(['completed', 'not_planned', 'reopened', 'duplicate']).nullable(),
+    closedAt: z.string().nullable(),
+    assignees: z.array(z.string()),
+    linkedPRs: z.array(z.object({
+        number: z.number().int().positive(),
+        url: z.string(),
+        title: z.string(),
+        state: z.enum(['open', 'closed', 'merged']),
+        isDraft: z.boolean(),
+        author: z.string().nullable(),
+        isOwn: z.boolean(),
+        linkType: z.enum(['closing', 'cross-referenced']),
+        updatedAt: z.string().nullable(),
+    })),
+    verdict: z.enum(['closed', 'own-open-pr', 'taken', 'at-risk', 'available']),
+    verdictReason: z.string(),
+    userLogin: z.string(),
+});
 // ── #1155: Zod coverage for remaining CLI commands ───────────────────
 export const PostOutputSchema = z.object({
     commentUrl: z.string(),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@oss-autopilot/core",
-  "version": "3.11.0",
+  "version": "3.12.0",
   "description": "CLI and core library for managing open source contributions",
   "type": "module",
   "bin": {
@@ -59,7 +59,7 @@
     "zod": "^4.4.3"
   },
   "devDependencies": {
-    "@types/node": "^25.9.1",
+    "@types/node": "^25.9.3",
     "@vitest/coverage-v8": "^4.1.8",
     "esbuild": "^0.28.0",
     "tsx": "^4.22.4",