@oss-autopilot/core 3.13.0 → 3.13.2

package/dist/commands/dashboard-data.js

@@ -3,7 +3,7 @@
  * Handles GitHub API calls, PR grouping, stats computation, and monthly chart data.
  * Consumed by the dashboard HTTP server (dashboard-server.ts) for the SPA API.
  */
-import { getStateManager, PRMonitor, IssueConversationMonitor, getOctokit, CRITICAL_STATUSES } from '../core/index.js';
+import { getStateManager, PRMonitor, IssueConversationMonitor, getOctokit, CRITICAL_STATUSES, applyStatusOverrides, } from '../core/index.js';
 import { errorMessage, isRateLimitOrAuthError } from '../core/errors.js';
 import { warn } from '../core/logger.js';
 import { emptyPRCountsResult, fetchMergedPRsSince, fetchClosedPRsSince } from '../core/github-stats.js';
@@ -236,6 +236,13 @@ export async function fetchDashboardData(token) {
     // try-catch: save errors should not crash the dashboard data fetch.
     try {
         stateManager.batch(() => {
+            // Apply status overrides BEFORE partitioning, mirroring the daily check
+            // (daily.ts partitions overriddenPRs). Partitioning on raw status let a
+            // dormant PR with a criticality-flipping override land in a different
+            // partition here than on the CLI surface (#1416). Inside the batch
+            // because getStatusOverride may auto-clear stale overrides with a save,
+            // which must defer to this guarded boundary rather than throw here.
+            const overriddenPRs = applyStatusOverrides(prs, stateManager.getState());
             // Store new merged PRs incrementally (dedupes by URL)
             try {
                 const { dropped } = stateManager.addMergedPRs(newMergedPRs);
@@ -256,20 +263,33 @@ export async function fetchDashboardData(token) {
             catch (error) {
                 warn(MODULE, `Failed to store closed PRs: ${errorMessage(error)}`);
             }
-            // Store monthly chart data (opened/merged/closed) so charts have data
+            // Store monthly chart data (opened/merged/closed) so charts have data.
+            // Analytics intentionally consume RAW prs: overrides only change status,
+            // never the createdAt/mergedAt dates the monthly counts key off.
             const { monthlyCounts, monthlyOpenedCounts: openedFromMerged } = mergedResult;
             const { monthlyCounts: monthlyClosedCounts, monthlyOpenedCounts: openedFromClosed } = closedResult;
             updateMonthlyAnalytics(prs, monthlyCounts, monthlyClosedCounts, openedFromMerged, openedFromClosed);
+            // The digest keeps RAW statuses in openPRs: this digest becomes the
+            // server's cached/persisted rebuild source, and baking overridden
+            // statuses into it would make CLEARING an override (move target=auto) a
+            // silent no-op until the next full refresh — buildDashboardJson can
+            // only apply overrides that still exist, never un-apply baked ones. It
+            // re-applies live overrides per request before partitioning.
             const digest = prMonitor.generateDigest(prs, recentlyClosedPRs, recentlyMergedPRs);
             // Apply shelve partitioning for display (auto-unshelve only runs in daily check).
             // Dormant PRs are treated as shelved unless they need addressing, and a
             // critical PR is never display-shelved (#1352) — mirrors the daily
             // check's CRITICAL_STATUSES auto-unshelve so headline counts agree.
+            // Partitioned over overriddenPRs (#1416): the shelve decision must use
+            // the same post-override status the CLI partitions on.
             const shelvedUrls = new Set(stateManager.getState().config.shelvedPRUrls || []);
-            const freshShelved = prs.filter((pr) => !CRITICAL_STATUSES.has(pr.status) && (shelvedUrls.has(pr.url) || pr.stalenessTier === 'dormant'));
+            // Single copy of the shelve predicate (#1421): isShelvedForDisplay is
+            // the same rule reconcileShelvePartition applies on rebuilds, so its
+            // regression tests now guard this line too.
+            const freshShelved = overriddenPRs.filter((pr) => isShelvedForDisplay(pr, shelvedUrls));
             digest.shelvedPRs = freshShelved.map(toShelvedPRRef);
             digest.autoUnshelvedPRs = [];
-            digest.summary.totalActivePRs = prs.length - freshShelved.length;
+            digest.summary.totalActivePRs = overriddenPRs.length - freshShelved.length;
             stateManager.setLastDigest(digest);
         });
     }

package/dist/commands/dashboard-server.js

@@ -9,7 +9,7 @@ import * as http from 'node:http';
 import * as fs from 'node:fs';
 import * as path from 'node:path';
 import * as crypto from 'node:crypto';
-import { getStateManager, getGitHubToken, getCLIVersion, applyStatusOverrides, classifyAttentionBucket, } from '../core/index.js';
+import { getStateManager, getGitHubToken, getCLIVersion, applyStatusOverrides, classifyAttentionBucket, maybeCheckpoint, } from '../core/index.js';
 import { errorMessage, ValidationError, ConcurrencyError, GistConcurrencyError } from '../core/errors.js';
 import { warn } from '../core/logger.js';
 import { validateUrl, validateGitHubUrl, PR_URL_PATTERN, ISSUE_URL_PATTERN } from './validation.js';
@@ -75,12 +75,23 @@ function getIssueListMtimeMs() {
  * start-up, so tests that need a specific digest should call this directly).
  */
 export function buildDashboardJson(digest, state, commentedIssues, allMergedPRs, allClosedPRs, partialFailures) {
+    // Apply status overrides ONCE, before the shelve partition is derived, so
+    // the dashboard partitions on the same post-override status the CLI
+    // partitions on (#1416). This also covers overrides set AFTER the digest
+    // was cached (a dashboard move stores an override; the action path rebuilds
+    // from the cached digest). Work on a copy — the caller's cached digest must
+    // not accumulate per-request derivations.
+    const overriddenDigest = {
+        ...digest,
+        openPRs: applyStatusOverrides(digest.openPRs || [], state),
+        summary: { ...digest.summary },
+    };
     // Re-derive the shelve partition from the CURRENT state before reading it.
     // The POST /api/action path rebuilds with a cached digest whose shelvedPRs
     // predates the shelve/unshelve, so without this the SPA action appears to do
     // nothing until the next full /api/refresh.
-    reconcileShelvePartition(digest, state);
-    const prsByRepo = computePRsByRepo(digest, state);
+    reconcileShelvePartition(overriddenDigest, state);
+    const prsByRepo = computePRsByRepo(overriddenDigest, state);
     const topRepos = computeTopRepos(prsByRepo);
     const { monthlyMerged, monthlyOpened, monthlyClosed } = getMonthlyData(state);
     // Derive from state if not provided (e.g. initial load from cached state)
@@ -92,7 +103,7 @@ export function buildDashboardJson(digest, state, commentedIssues, allMergedPRs,
     const isAboveMinStars = (pr) => !isBelowMinStars(repoScores[pr.repo]?.stargazersCount, minStars);
     const filteredMergedPRs = mergedPRs.filter(isAboveMinStars);
     const filteredClosedPRs = closedPRs.filter(isAboveMinStars);
-    const stats = buildDashboardStats(digest, state, filteredMergedPRs.length, filteredClosedPRs.length);
+    const stats = buildDashboardStats(overriddenDigest, state, filteredMergedPRs.length, filteredClosedPRs.length);
     const dismissedIssues = state.config.dismissedIssues || {};
     const issueResponses = commentedIssues.filter((i) => i.status === 'new_response' && !(i.url in dismissedIssues));
     // Build repo metadata map from repoScores — omit repos without stars or language to avoid empty entries
@@ -115,7 +126,10 @@ export function buildDashboardJson(digest, state, commentedIssues, allMergedPRs,
         monthlyClosed,
         // #1352: stamp the unified attention bucket so the SPA renders the same
         // taxonomy the CLI brief counts (single classifier, no second opinion).
-        activePRs: applyStatusOverrides(digest.openPRs || [], state).map((pr) => ({
+        // Overrides were already applied when overriddenDigest was built — a
+        // second application here would be a no-op but obscures the single
+        // apply-then-partition ordering (#1416).
+        activePRs: (overriddenDigest.openPRs || []).map((pr) => ({
             ...pr,
             attentionBucket: classifyAttentionBucket(pr),
         })),
@@ -123,10 +137,10 @@ export function buildDashboardJson(digest, state, commentedIssues, allMergedPRs,
         // and dormant-non-addressing PRs auto-shelved for display). Returning
         // only state.config.shelvedPRUrls would under-count and desync from
         // stats.shelvedPRs, which is already derived from digest.shelvedPRs. (#981)
-        shelvedPRUrls: (digest.shelvedPRs || []).map((ref) => ref.url),
-        recentlyMergedPRs: digest.recentlyMergedPRs || [],
-        recentlyClosedPRs: digest.recentlyClosedPRs || [],
-        autoUnshelvedPRs: digest.autoUnshelvedPRs || [],
+        shelvedPRUrls: (overriddenDigest.shelvedPRs || []).map((ref) => ref.url),
+        recentlyMergedPRs: overriddenDigest.recentlyMergedPRs || [],
+        recentlyClosedPRs: overriddenDigest.recentlyClosedPRs || [],
+        autoUnshelvedPRs: overriddenDigest.autoUnshelvedPRs || [],
         commentedIssues,
         issueResponses,
         allMergedPRs: filteredMergedPRs,
@@ -296,11 +310,46 @@ export async function startDashboardServer(options) {
     // not disappear when /api/data rebuilds after a state change or after a
     // POST /api/action completes.
     let cachedPartialFailures = undefined;
+    // Gist checkpoint warnings from dashboard mutations (#1417). DELIBERATELY
+    // separate from cachedPartialFailures: fetch failures clear on a successful
+    // PULL, but a gist-sync warning means an un-pushed mutation, and a pull is
+    // exactly the event that can destroy it (refreshFromGist wholesale-replaces
+    // state). These clear only when a checkpoint PUSH succeeds.
+    let pendingGistSyncWarnings = [];
     // Tracks the last background-refresh failure so /api/data can surface
     // staleness to the SPA via the X-Dashboard-Stale header (#1205). Cleared
     // when a refresh succeeds. Without this, token expiry / GitHub outage
     // produces silent stale data hours old with no client-visible signal.
     let lastBackgroundRefreshError = null;
+    /** Record a mutation's checkpoint outcome. `null` means the push succeeded
+     * (or local mode) — and a successful push carries the FULL current state,
+     * so any previously pending warning is resolved with it. */
+    function recordGistSyncOutcome(warning) {
+        if (warning === null) {
+            pendingGistSyncWarnings = [];
+            return;
+        }
+        if (!pendingGistSyncWarnings.includes(warning)) {
+            pendingGistSyncWarnings.push(warning);
+        }
+    }
+    /** Merge pending gist-sync warnings into a partialFailures payload for the
+     * SPA banner without coupling their lifecycles. */
+    function withPendingGistWarnings(failures) {
+        if (pendingGistSyncWarnings.length === 0)
+            return failures;
+        const base = failures ?? [];
+        return [...base, ...pendingGistSyncWarnings.filter((w) => !base.includes(w))];
+    }
+    /** Push-before-pull (#1417): an un-pushed mutation would be silently
+     * reverted by the next Gist pull. Retry the checkpoint first so a recovered
+     * network turns the pending warning into a real push before any pull runs.
+     * No-op when nothing is pending. */
+    async function flushPendingGistSync() {
+        if (pendingGistSyncWarnings.length === 0)
+            return;
+        recordGistSyncOutcome(await maybeCheckpoint(stateManager, MODULE));
+    }
     if (!cachedDigest) {
         throw new Error('No dashboard data available. Run the daily check first: GITHUB_TOKEN=$(gh auth token) npm start -- daily');
     }
@@ -308,7 +357,7 @@ export async function startDashboardServer(options) {
     let cachedJsonData;
     let cachedIssueListMtimeMs = getIssueListMtimeMs();
     try {
-        cachedJsonData = buildDashboardJson(cachedDigest, stateManager.getState(), cachedCommentedIssues, undefined, undefined, cachedPartialFailures);
+        cachedJsonData = buildDashboardJson(cachedDigest, stateManager.getState(), cachedCommentedIssues, undefined, undefined, withPendingGistWarnings(cachedPartialFailures));
     }
     catch (error) {
         throw new Error(`Failed to build dashboard data: ${errorMessage(error)}. State data may be corrupted — try running: daily --json`, { cause: error });
@@ -343,6 +392,7 @@ export async function startDashboardServer(options) {
                 // Re-read state if modified externally (file mtime for local, Gist API for Gist mode)
                 let stateChanged = false;
                 if (stateManager.isGistMode()) {
+                    await flushPendingGistSync();
                     stateChanged = await stateManager.refreshFromGist();
                 }
                 else {
@@ -353,7 +403,7 @@ export async function startDashboardServer(options) {
                 const issueListChanged = currentIssueListMtimeMs !== cachedIssueListMtimeMs;
                 if (stateChanged || issueListChanged) {
                     try {
-                        cachedJsonData = buildDashboardJson(cachedDigest, stateManager.getState(), cachedCommentedIssues, undefined, undefined, cachedPartialFailures);
+                        cachedJsonData = buildDashboardJson(cachedDigest, stateManager.getState(), cachedCommentedIssues, undefined, undefined, withPendingGistWarnings(cachedPartialFailures));
                         cachedIssueListMtimeMs = currentIssueListMtimeMs;
                     }
                     catch (error) {
@@ -432,6 +482,7 @@ export async function startDashboardServer(options) {
     /** Re-read state written by external processes (CLI) before mutating. */
     async function reloadState() {
         if (stateManager.isGistMode()) {
+            await flushPendingGistSync();
             await stateManager.refreshFromGist();
         }
         else {
@@ -475,6 +526,11 @@ export async function startDashboardServer(options) {
         }
         // Resolve the mutation up-front so target validation happens before the
         // state reload — keeps the reload-to-save freshness window minimal.
+        // Each mutation records the Gist checkpoint outcome (#1417): in gist mode
+        // `save()` only writes the local cache, and an un-pushed mutation can be
+        // wholesale-reverted by the next successful refreshFromGist — so a failed
+        // push must reach the SPA, not vanish into a discarded return value.
+        let gistSyncWarning = null;
         let applyMutation;
         if (body.action === 'move') {
             const { VALID_TARGETS, runMove } = await import('./move.js');
@@ -484,13 +540,18 @@ export async function startDashboardServer(options) {
             }
             const target = body.target;
             applyMutation = async () => {
-                await runMove({ prUrl: body.url, target });
+                const output = await runMove({ prUrl: body.url, target });
+                gistSyncWarning = output.gistSyncWarning ?? null;
             };
         }
         else {
             // dismiss_issue_response
-            applyMutation = () => {
+            applyMutation = async () => {
                 stateManager.dismissIssue(body.url, new Date().toISOString());
+                // Mirror runMove's contract: every mutating surface checkpoints to
+                // Gist and surfaces the warning. Never throws — failures come back
+                // as the warning string.
+                gistSyncWarning = await maybeCheckpoint(stateManager, MODULE);
             };
         }
         // Reload state before mutating to avoid overwriting external CLI changes.
@@ -530,11 +591,16 @@ export async function startDashboardServer(options) {
                 return;
             }
         }
+        // Surface the checkpoint outcome through the partialFailures banner the
+        // SPA already renders (#1417). Tracked in pendingGistSyncWarnings — NOT
+        // cachedPartialFailures — because gist warnings clear on a successful
+        // PUSH, while fetch failures clear on a successful pull/refresh.
+        recordGistSyncOutcome(gistSyncWarning);
         // Rebuild dashboard data from cached digest + updated state. Persist
         // the last-known partialFailures across action rebuilds (#1035) so the
         // SPA banner survives user interactions until the next successful
         // refresh clears it.
-        cachedJsonData = buildDashboardJson(cachedDigest, stateManager.getState(), cachedCommentedIssues, undefined, undefined, cachedPartialFailures);
+        cachedJsonData = buildDashboardJson(cachedDigest, stateManager.getState(), cachedCommentedIssues, undefined, undefined, withPendingGistWarnings(cachedPartialFailures));
         cachedIssueListMtimeMs = getIssueListMtimeMs();
         sendJson(res, 200, cachedJsonData);
     }
@@ -554,7 +620,7 @@ export async function startDashboardServer(options) {
             // Update the persistent banner signal — clear on a clean refresh,
             // set when one or more sub-fetches degraded. See #1035.
             cachedPartialFailures = result.partialFailures.length > 0 ? result.partialFailures : undefined;
-            cachedJsonData = buildDashboardJson(cachedDigest, stateManager.getState(), cachedCommentedIssues, result.allMergedPRs, result.allClosedPRs, cachedPartialFailures);
+            cachedJsonData = buildDashboardJson(cachedDigest, stateManager.getState(), cachedCommentedIssues, result.allMergedPRs, result.allClosedPRs, withPendingGistWarnings(cachedPartialFailures));
             cachedIssueListMtimeMs = getIssueListMtimeMs();
             sendJson(res, 200, cachedJsonData);
         }
@@ -675,6 +741,7 @@ export async function startDashboardServer(options) {
         fetchDashboardData(token)
             .then(async (result) => {
             if (stateManager.isGistMode()) {
+                await flushPendingGistSync();
                 await stateManager.refreshFromGist();
             }
             else {
@@ -683,7 +750,7 @@ export async function startDashboardServer(options) {
             cachedDigest = result.digest;
             cachedCommentedIssues = result.commentedIssues;
             cachedPartialFailures = result.partialFailures.length > 0 ? result.partialFailures : undefined;
-            cachedJsonData = buildDashboardJson(cachedDigest, stateManager.getState(), cachedCommentedIssues, result.allMergedPRs, result.allClosedPRs, cachedPartialFailures);
+            cachedJsonData = buildDashboardJson(cachedDigest, stateManager.getState(), cachedCommentedIssues, result.allMergedPRs, result.allClosedPRs, withPendingGistWarnings(cachedPartialFailures));
             cachedIssueListMtimeMs = getIssueListMtimeMs();
             // Successful refresh clears any prior failure signal (#1205).
             lastBackgroundRefreshError = null;

package/dist/commands/features.js

@@ -52,7 +52,11 @@ function toFeaturesCandidate(scoutCandidate, getState) {
     // this repo" rather than a fabricated score.
     const grade = gradeFromCandidate({
         repo: scoutCandidate.issue.repo,
-        projectHealth: { avgIssueResponseDays: null, daysSinceLastCommit: null, checkFailed: true },
+        projectHealth: {
+            repo: scoutCandidate.issue.repo,
+            checkFailed: true,
+            failureReason: 'health not fetched on the multi-issue feature surface',
+        },
         getRepoScore: (repo) => {
             const score = getState.getRepoScore(repo);
             return score

package/dist/commands/list-move-tier.js

@@ -184,10 +184,20 @@ export async function runListMoveTier(options) {
             'Add the entry to the list first, then re-run list-move-tier.');
     }
     if (result.moved) {
+        // tmp+rename so a crash mid-write can't truncate the curated list —
+        // same atomic pattern as list-mark-done (#1421).
+        const tmp = `${filePath}.tmp-${process.pid}-${Date.now()}`;
         try {
-            fs.writeFileSync(filePath, result.content, 'utf8');
+            fs.writeFileSync(tmp, result.content, 'utf8');
+            fs.renameSync(tmp, filePath);
         }
         catch (error) {
+            try {
+                fs.unlinkSync(tmp);
+            }
+            catch {
+                // best-effort cleanup
+            }
             throw new Error(`Failed to write file: ${errorMessage(error)}`, { cause: error });
         }
     }

package/dist/commands/scout-bridge.js

@@ -90,8 +90,20 @@ export function buildScoutState() {
             // `--split-ratio` flags for overrides.
             featuresAnchorThreshold: 3,
             featuresSplitRatio: 0.6,
+            // Personalization-bias prefs, likewise required on the inferred type
+            // (scout #1244 / #168). Autopilot doesn't surface these as settings yet,
+            // so we pass scout's documented "no bias" defaults.
+            preferLanguages: [],
+            preferRepos: [],
+            diversityRatio: 0,
+            avoidRepos: [],
+            boostIssueTypes: [],
         },
         repoScores: state.repoScores,
+        // Scout #117 added tombstones (deletion records for gist merge). Autopilot
+        // synthesizes a fresh ScoutState per operation and tracks no deletions, so
+        // an empty list is correct here.
+        tombstones: [],
         starredRepos: config.starredRepos,
         starredReposLastFetched: config.starredReposLastFetched,
         mergedPRs: (state.mergedPRs ?? []).map((pr) => ({

package/dist/commands/search.js

@@ -97,7 +97,11 @@ export async function runSearch(options) {
             // before" rather than a fabricated score.
             const grade = gradeFromCandidate({
                 repo: c.issue.repo,
-                projectHealth: { avgIssueResponseDays: null, daysSinceLastCommit: null, checkFailed: true },
+                projectHealth: {
+                    repo: c.issue.repo,
+                    checkFailed: true,
+                    failureReason: 'health not fetched on the multi-issue search surface',
+                },
                 getRepoScore: (repo) => {
                     const score = stateManager.getRepoScore(repo);
                     return score
@@ -135,9 +139,14 @@ export async function runSearch(options) {
                     }
                     : undefined,
                 ...(linkedPR ? { linkedPR } : {}),
-                ...(typeof c.boostScore === 'number' ? { boostScore: c.boostScore } : {}),
-                ...(c.boostReasons && c.boostReasons.length > 0 ? { boostReasons: c.boostReasons } : {}),
-                ...(c.diversitySlot === true ? { diversitySlot: true } : {}),
+                // Scout 1.0 folded the boostScore/boostReasons/diversitySlot trio into a
+                // single `personalization` field (#158). Derive the flat output fields
+                // from it so this command's JSON shape is unchanged.
+                ...(c.personalization?.kind === 'boosted' ? { boostScore: c.personalization.score } : {}),
+                ...(c.personalization?.kind === 'boosted' && c.personalization.reasons.length > 0
+                    ? { boostReasons: c.personalization.reasons }
+                    : {}),
+                ...(c.personalization?.kind === 'diversity' ? { diversitySlot: true } : {}),
             };
         }),
         excludedRepos: result.excludedRepos,

package/dist/core/auth.js

@@ -13,6 +13,22 @@ const MODULE = 'auth';
 // Cached GitHub token (fetched once per session)
 let cachedGitHubToken = null;
 let tokenFetchAttempted = false;
+/**
+ * A `gh auth token` spawn that timed out is transient (#1415): the CLI is
+ * installed and may answer on the next call (slow disk, machine waking,
+ * momentary load). Everything else is definitive for the process lifetime —
+ * ENOENT (gh not installed) and a non-zero exit (not authenticated) will not
+ * change without user action, so those still latch `tokenFetchAttempted`.
+ * The async execFile timeout surfaces as `killed: true` (signal SIGTERM);
+ * the sync execFileSync timeout surfaces as `code: 'ETIMEDOUT'` (no
+ * `killed` property) — both arms are load-bearing, one per path.
+ */
+function isTransientTokenFetchError(err) {
+    if (!err || typeof err !== 'object')
+        return false;
+    const e = err;
+    return e.killed === true || e.code === 'ETIMEDOUT';
+}
 /**
  * Retrieves a GitHub authentication token, checking sources in priority order.
  *
@@ -29,7 +45,6 @@ export function getGitHubToken() {
     if (tokenFetchAttempted) {
         return null;
     }
-    tokenFetchAttempted = true;
     if (process.env.GITHUB_TOKEN) {
         cachedGitHubToken = process.env.GITHUB_TOKEN;
         return cachedGitHubToken;
@@ -40,6 +55,8 @@ export function getGitHubToken() {
             stdio: ['pipe', 'pipe', 'pipe'],
             timeout: 2000,
         }).trim();
+        // Definitive outcome (a token, or authoritatively none) — latch.
+        tokenFetchAttempted = true;
         if (token && token.length > 0) {
             cachedGitHubToken = token;
             debug(MODULE, 'Using GitHub token from gh CLI');
@@ -47,9 +64,14 @@ export function getGitHubToken() {
         }
     }
     catch (err) {
-        // Promote to warn-once-per-session so a slow `gh` (2s timeout) or a
-        // misconfigured CLI is visible without DEBUG=1 (#1209 L6). The
-        // tokenFetchAttempted cache means subsequent calls don't re-warn.
+        // Latch only on definitive failures (#1415): a timeout must not
+        // permanently disable token fetch for a long-lived process (the MCP
+        // server), or gist-mode mutations silently degrade to local-only for
+        // the process lifetime. Promote to warn so a slow `gh` (2s timeout) or
+        // a misconfigured CLI is visible without DEBUG=1 (#1209 L6).
+        if (!isTransientTokenFetchError(err)) {
+            tokenFetchAttempted = true;
+        }
         warn(MODULE, `gh auth token failed (CLI unavailable or not authenticated): ${err instanceof Error ? err.message : String(err)}`);
     }
     return null;
@@ -97,7 +119,6 @@ export async function getGitHubTokenAsync() {
     if (tokenFetchAttempted) {
         return null;
     }
-    tokenFetchAttempted = true;
     if (process.env.GITHUB_TOKEN) {
         cachedGitHubToken = process.env.GITHUB_TOKEN;
         return cachedGitHubToken;
@@ -113,6 +134,8 @@ export async function getGitHubTokenAsync() {
                 }
             });
         });
+        // Definitive outcome (a token, or authoritatively none) — latch.
+        tokenFetchAttempted = true;
         if (token && token.length > 0) {
             cachedGitHubToken = token;
             debug(MODULE, 'Using GitHub token from gh CLI (async)');
@@ -120,7 +143,11 @@ export async function getGitHubTokenAsync() {
         }
     }
     catch (err) {
-        // Same warn-once promotion as the sync version (#1209 L6).
+        // Same transient/definitive split and warn promotion as the sync
+        // version (#1415, #1209 L6).
+        if (!isTransientTokenFetchError(err)) {
+            tokenFetchAttempted = true;
+        }
         warn(MODULE, `gh auth token failed (CLI unavailable or not authenticated): ${err instanceof Error ? err.message : String(err)}`);
     }
     return null;

package/dist/core/index.d.ts

@@ -2,13 +2,13 @@
  * Core module exports
  * Re-exports all core functionality for convenient imports
  */
-export { StateManager, getStateManager, getStateManagerAsync, ensureGistPersistence, maybeCheckpoint, resetStateManager, type Stats, } from './state.js';
+export { StateManager, getStateManager, getStateManagerAsync, ensureGistPersistence, type GistPersistenceStatus, maybeCheckpoint, resetStateManager, type Stats, } from './state.js';
 export { GistStateStore } from './gist-state-store.js';
 export { guidelinesFilename, repoFromGuidelinesFilename, GUIDELINES_FILE_PREFIX, GUIDELINES_MAX_BYTES, GuidelinesNotAvailableError, GuidelinesTooLargeError, } from './guidelines-store.js';
 export { PRMonitor, type PRCheckFailure, type FetchPRsResult, computeDisplayLabel, classifyCICheck, classifyFailingChecks, } from './pr-monitor.js';
 export { IssueConversationMonitor } from './issue-conversation.js';
 export { isBotAuthor, isAcknowledgmentComment } from './comment-utils.js';
-export { wrapUntrustedContent, extractFromFence, safeExtractFromFence, UNTRUSTED_OPEN_TAG_NAME, UNTRUSTED_CLOSE_TAG, type UntrustedContentMeta, } from './untrusted-content.js';
+export { wrapUntrustedContent, fenceFetchedPR, extractFromFence, safeExtractFromFence, UNTRUSTED_OPEN_TAG_NAME, UNTRUSTED_CLOSE_TAG, type UntrustedContentMeta, } from './untrusted-content.js';
 export { getOctokit, checkRateLimit, type RateLimitInfo } from './github.js';
 export { parseGitHubUrl, splitRepo, isOwnRepo } from './urls.js';
 export { daysBetween, formatRelativeTime, byDateDescending } from './dates.js';

package/dist/core/index.js

@@ -9,7 +9,7 @@ export { PRMonitor, computeDisplayLabel, classifyCICheck, classifyFailingChecks,
 // Search/vetting now delegated to @oss-scout/core via commands/scout-bridge.ts
 export { IssueConversationMonitor } from './issue-conversation.js';
 export { isBotAuthor, isAcknowledgmentComment } from './comment-utils.js';
-export { wrapUntrustedContent, extractFromFence, safeExtractFromFence, UNTRUSTED_OPEN_TAG_NAME, UNTRUSTED_CLOSE_TAG, } from './untrusted-content.js';
+export { wrapUntrustedContent, fenceFetchedPR, extractFromFence, safeExtractFromFence, UNTRUSTED_OPEN_TAG_NAME, UNTRUSTED_CLOSE_TAG, } from './untrusted-content.js';
 export { getOctokit, checkRateLimit } from './github.js';
 export { parseGitHubUrl, splitRepo, isOwnRepo } from './urls.js';
 export { daysBetween, formatRelativeTime, byDateDescending } from './dates.js';

package/dist/core/issue-grading.d.ts

@@ -10,6 +10,7 @@
  * treated as a risk, not ignored). This matches the policy previously
  * described as prose in agents/issue-scout.md.
  */
+import type { ProjectHealth } from '@oss-scout/core';
 export type GradeLetter = 'A' | 'B' | 'C' | 'F';
 export interface GradeSignals {
     /** Average maintainer response time in days; null if unknown. */
@@ -61,11 +62,7 @@ export declare function deriveGradeSignals(params: {
  */
 export declare function gradeFromCandidate(params: {
     repo: string;
-    projectHealth: {
-        avgIssueResponseDays: number | null;
-        daysSinceLastCommit: number | null;
-        checkFailed?: boolean;
-    };
+    projectHealth: ProjectHealth;
     getRepoScore: (repo: string) => {
         mergedPRCount: number;
         closedWithoutMergeCount: number;

package/dist/core/issue-grading.js

@@ -103,8 +103,19 @@ export function deriveGradeSignals(params) {
  */
 export function gradeFromCandidate(params) {
     const repoScore = params.getRepoScore(params.repo);
+    // Narrow the union into the minimal shape deriveGradeSignals expects. The
+    // check-failed arm has no avgIssueResponseDays/daysSinceLastCommit, and the
+    // grader already treats checkFailed as untrusted (no snapshot signals).
+    const ph = params.projectHealth;
+    const projectHealth = ph.checkFailed
+        ? { avgIssueResponseDays: null, daysSinceLastCommit: null, checkFailed: true }
+        : {
+            avgIssueResponseDays: ph.avgIssueResponseDays,
+            daysSinceLastCommit: ph.daysSinceLastCommit,
+            checkFailed: false,
+        };
     return computeSuccessGrade(deriveGradeSignals({
-        projectHealth: params.projectHealth,
+        projectHealth,
         repoScore: repoScore
             ? {
                 mergedPRCount: repoScore.mergedPRCount,

package/dist/core/state.d.ts

@@ -441,7 +441,21 @@ export declare function getStateManagerAsync(token?: string): Promise<StateManag
  * // CLI bootstrap
  * await ensureGistPersistence(token);
  */
-export declare function ensureGistPersistence(token: string | null): Promise<void>;
+export type GistPersistenceStatus = 
+/** No state file yet, or config does not request gist mode. */
+'local-mode'
+/** The state file exists but could not be read/parsed for this attempt
+ * (permissions, transient FS error, corrupt JSON). Callers must NOT
+ * memoize this as "local mode chosen" — a later attempt may succeed. */
+ | 'state-unreadable'
+/** Gist mode is configured but no token was available for this attempt. */
+ | 'no-token'
+/** Gist mode active: the singleton is gist-backed. */
+ | 'gist'
+/** Gist mode is configured and a token was available, but init fell back
+ * to local-only (transient network failure). A later call may recover. */
+ | 'degraded';
+export declare function ensureGistPersistence(token: string | null): Promise<GistPersistenceStatus>;
 /**
  * Reset the singleton StateManager instance to null. Intended for test isolation.
  */