@oss-autopilot/core 3.13.0 → 3.13.2

package/dist/core/state.js

@@ -924,13 +924,27 @@ export function getStateManager() {
  * StateManager and Gist checkpoints will be no-ops.
  */
 export async function getStateManagerAsync(token) {
-    if (stateManager)
+    // #1415: a LOCAL-mode singleton does not short-circuit when a token is
+    // provided. The only token-bearing caller is ensureGistPersistence, which
+    // already verified the config says `persistence: gist` — so a local
+    // singleton here means a previous transient init failure fell back (or a
+    // tool body lazily created the local manager before auth resolved), and
+    // this call is the retry that must be allowed to upgrade it. The old
+    // unconditional early return made every retry a dead no-op, permanently
+    // latching gist-configured processes into silent local-only writes.
+    if (stateManager && (!token || stateManager.isGistMode()))
         return stateManager;
     if (asyncManagerPromise)
         return asyncManagerPromise;
     if (token) {
         asyncManagerPromise = StateManager.createWithGist(token)
             .then((mgr) => {
+            // Upgrade note: replacing a transient-fallback local singleton fixes
+            // FUTURE operations. Mutations made during the degraded window stay
+            // in the local state.json only — when a Gist already exists they are
+            // NOT merged into it by this upgrade (bootstrapWithMigration seeds a
+            // Gist from local state only on first creation). The per-call MCP
+            // warning is the signal that those writes were at risk.
             stateManager = mgr;
             asyncManagerPromise = null;
             return mgr;
@@ -949,6 +963,9 @@ export async function getStateManagerAsync(token) {
             // marker stays in config, causing permanent cross-machine divergence.
             if (!isTransientNetworkError(err))
                 throw err;
+            // Intentional CLI semantics: a one-shot process warns and proceeds
+            // local-only. Long-lived callers (MCP) detect this via the
+            // ensureGistPersistence return status and retry on later calls.
             warn(MODULE, `Gist initialization failed (transient network error), falling back to local-only mode: ${err}`);
             return getStateManager();
         });
@@ -956,39 +973,32 @@ export async function getStateManagerAsync(token) {
     }
     return getStateManager();
 }
-/**
- * Bootstrap helper for processes that may run in Gist persistence mode.
- *
- * Peeks at the state file to check if Gist mode is configured. If so and a
- * valid token is provided, pre-sets the singleton via {@link getStateManagerAsync}
- * so subsequent synchronous {@link getStateManager} calls return the Gist-backed
- * instance. No-op when the state file is absent, unparseable, or not in Gist mode.
- *
- * Consolidates identical filesystem-peek + getStateManagerAsync logic that
- * was duplicated between the CLI bootstrap (`cli.ts`) and MCP tool bootstrap
- * (`mcp-server/src/tools.ts`) — #1000.
- *
- * @param token - GitHub token with `gist` scope, or `null` to skip activation
- *
- * @example
- * // CLI bootstrap
- * await ensureGistPersistence(token);
- */
 export async function ensureGistPersistence(token) {
-    if (!token)
-        return;
     let persistence;
     try {
         const raw = fs.readFileSync(getStatePath(), 'utf8');
         persistence = JSON.parse(raw)?.config?.persistence;
     }
-    catch {
-        // No state file or unreadable — stay in local mode
-        return;
-    }
-    if (persistence === 'gist') {
-        await getStateManagerAsync(token);
-    }
+    catch (err) {
+        // A missing file is the genuine "fresh local-mode user" case. Anything
+        // else (EACCES, EMFILE, corrupt JSON) must not be silently classified
+        // as a local-mode CHOICE — that would re-create the #1415 latch through
+        // a third door when the caller memoizes the answer.
+        if (err.code === 'ENOENT')
+            return 'local-mode';
+        warn(MODULE, `State file unreadable during gist-persistence check (will retry): ${errorMessage(err)}`);
+        return 'state-unreadable';
+    }
+    if (persistence !== 'gist')
+        return 'local-mode';
+    // #1415: report the distinction the MCP layer needs — "gist configured but
+    // token missing" and "init fell back to local" both mean the process is
+    // NOT writing to the Gist despite the config saying it should, and a
+    // long-lived caller must keep retrying instead of memoizing the outcome.
+    if (!token)
+        return 'no-token';
+    const mgr = await getStateManagerAsync(token);
+    return mgr.isGistMode() ? 'gist' : 'degraded';
 }
 /**
  * Reset the singleton StateManager instance to null. Intended for test isolation.

package/dist/core/strategy.js

@@ -105,6 +105,25 @@ function recommendForOverExtension(openPRCount, dormantPRCount, overExtended) {
         return 'open_more';
     return null;
 }
+/**
+ * Read-only mirror of the status-override lookup (#1416): same staleness
+ * rule as `StateManager.getStatusOverride` (an override recorded against
+ * older activity than the PR's `updatedAt` is ignored), but with NO
+ * auto-clear write — this module stays pure/no-I/O, and the daily and
+ * dashboard pipelines own clearing stale overrides.
+ */
+function effectiveStatus(pr, state) {
+    if (typeof pr.url !== 'string')
+        return pr.status;
+    const override = state.config.statusOverrides?.[pr.url];
+    if (!override)
+        return pr.status;
+    if (typeof pr.updatedAt === 'string' && pr.updatedAt > override.lastActivityAt)
+        return pr.status;
+    if (override.status !== 'needs_addressing' && override.status !== 'waiting_on_maintainer')
+        return pr.status;
+    return override.status;
+}
 /**
  * Compute the deterministic strategy signal from agent state. Returns
  * null when state is thinner than {@link STRATEGY_MIN_PRS} merged PRs —
@@ -158,12 +177,20 @@ export function computeStrategy(state) {
     // Capacity: read from the last digest. When no digest exists yet,
     // default to zero (the agent has nothing to recommend without a
     // digest). The DailyDigest schema does not store a `dormantCount`
-    // directly — derive it from the `waitingOnMaintainerPRs` array,
-    // which is the "PR flagged as awaiting maintainer review" bucket
-    // produced by `pr-monitor`.
+    // directly — derive it from the "awaiting maintainer review" bucket.
+    //
+    // Status-basis reconciliation (#1416): dashboard-written digests keep RAW
+    // statuses in `openPRs` (so override CLEARS stay visible on rebuild) while
+    // `summary.totalActivePRs` is override-basis. Re-derive the waiting bucket
+    // from `openPRs` through the override map so both capacity inputs share
+    // one basis; fall back to the stored array for digests without `openPRs`
+    // (which daily.ts builds post-override anyway).
     const summary = state.lastDigest?.summary;
     const openPRCount = summary?.totalActivePRs ?? 0;
-    const waiting = state.lastDigest?.waitingOnMaintainerPRs ?? [];
+    const openPRs = (state.lastDigest?.openPRs ?? []);
+    const waiting = openPRs.length > 0
+        ? openPRs.filter((pr) => effectiveStatus(pr, state) === 'waiting_on_maintainer')
+        : (state.lastDigest?.waitingOnMaintainerPRs ?? []);
     const dormantPRCount = waiting.length;
     // Overextended: dormant PRs spread across 2+ repos. Same definition
     // the issue body uses.

package/dist/core/untrusted-content.d.ts

@@ -18,6 +18,9 @@
  *
  *  - `runComments` (commands/comments.ts): review / inline / discussion
  *    comment bodies in the `comments` CLI `--json` + MCP tool output.
+ *  - `deduplicateDigest` (formatters/json.ts) and the MCP PR resources:
+ *    `openPRs[].lastMaintainerComment.body` via {@link fenceFetchedPR}
+ *    (#1420).
  *  - `fetchPRCommentBundle` (core/pr-comments-fetcher.ts): bundle bodies
  *    feeding `guidelines fetch-corpus` (agent-only consumer).
  *  - `toDailyOutput` (commands/daily.ts): `commentedIssues[].lastResponseBody`
@@ -67,3 +70,24 @@ export declare function extractFromFence(fenced: string): string;
  * never throws.
  */
 export declare function safeExtractFromFence(text: string): string;
+/**
+ * Fence the attacker-controllable maintainer-comment excerpt on a FetchedPR
+ * for agent-facing serialization (#1420). Applied at the serialization
+ * boundary (daily/startup --json via deduplicateDigest, MCP PR resources)
+ * rather than at fetch time: extractMaintainerActionHints parses the RAW
+ * body inside the pipeline, and human surfaces (dashboard SPA, CLI text
+ * mode) must not render fence markup. Returns a copy; never mutates.
+ */
+export declare function fenceFetchedPR<T extends FenceablePR>(pr: T): T;
+/** Structural slice of FetchedPR that {@link fenceFetchedPR} needs — kept
+ * structural to avoid an import cycle with types.ts consumers. */
+interface FenceablePR {
+    repo: string;
+    number: number;
+    lastMaintainerComment?: {
+        author: string;
+        body: string;
+        createdAt: string;
+    };
+}
+export {};

package/dist/core/untrusted-content.js

@@ -18,6 +18,9 @@
  *
  *  - `runComments` (commands/comments.ts): review / inline / discussion
  *    comment bodies in the `comments` CLI `--json` + MCP tool output.
+ *  - `deduplicateDigest` (formatters/json.ts) and the MCP PR resources:
+ *    `openPRs[].lastMaintainerComment.body` via {@link fenceFetchedPR}
+ *    (#1420).
  *  - `fetchPRCommentBundle` (core/pr-comments-fetcher.ts): bundle bodies
  *    feeding `guidelines fetch-corpus` (agent-only consumer).
  *  - `toDailyOutput` (commands/daily.ts): `commentedIssues[].lastResponseBody`
@@ -132,3 +135,25 @@ export function safeExtractFromFence(text) {
         return text;
     }
 }
+/**
+ * Fence the attacker-controllable maintainer-comment excerpt on a FetchedPR
+ * for agent-facing serialization (#1420). Applied at the serialization
+ * boundary (daily/startup --json via deduplicateDigest, MCP PR resources)
+ * rather than at fetch time: extractMaintainerActionHints parses the RAW
+ * body inside the pipeline, and human surfaces (dashboard SPA, CLI text
+ * mode) must not render fence markup. Returns a copy; never mutates.
+ */
+export function fenceFetchedPR(pr) {
+    if (!pr.lastMaintainerComment)
+        return pr;
+    return {
+        ...pr,
+        lastMaintainerComment: {
+            ...pr.lastMaintainerComment,
+            body: wrapUntrustedContent(pr.lastMaintainerComment.body, `${pr.repo}#${pr.number}`, {
+                author: pr.lastMaintainerComment.author,
+                source: 'pr-comment',
+            }),
+        },
+    };
+}

package/dist/formatters/json.js

@@ -3,6 +3,7 @@
  * Provides structured output that can be consumed by scripts and plugins
  */
 import { z } from 'zod';
+import { fenceFetchedPR } from '../core/untrusted-content.js';
 export function buildStalenessWarning(info) {
     return {
         phase: 'gist-staleness',
@@ -43,7 +44,10 @@ export function deduplicateDigest(digest) {
     const toUrls = (prs) => prs.map((pr) => pr.url);
     return {
         generatedAt: digest.generatedAt,
-        openPRs: digest.openPRs,
+        // lastMaintainerComment.body is attacker-controllable on any public PR;
+        // fence it at this agent-facing serialization boundary (#1420). The
+        // digest itself keeps the raw body for pipeline parsing and human UIs.
+        openPRs: digest.openPRs.map(fenceFetchedPR),
         needsAddressingPRs: toUrls(digest.needsAddressingPRs),
         waitingOnMaintainerPRs: toUrls(digest.waitingOnMaintainerPRs),
         recentlyClosedPRs: digest.recentlyClosedPRs,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@oss-autopilot/core",
-  "version": "3.13.0",
+  "version": "3.13.2",
   "description": "CLI and core library for managing open source contributions",
   "type": "module",
   "bin": {
@@ -54,7 +54,7 @@
   "dependencies": {
     "@octokit/plugin-throttling": "^11.0.3",
     "@octokit/rest": "^22.0.1",
-    "@oss-scout/core": "^0.11.0",
+    "@oss-scout/core": "^1.1.0",
     "commander": "^15.0.0",
     "zod": "^4.4.3"
   },
@@ -72,7 +72,7 @@
     "bundle": "esbuild src/cli.ts --bundle --platform=node --target=node22 --format=cjs --minify --sourcemap --outfile=dist/cli.bundle.cjs",
     "start": "tsx src/cli.ts",
     "dev": "tsx watch src/cli.ts",
-    "typecheck": "tsc --noEmit",
+    "typecheck": "tsc --noEmit && tsc --noEmit -p tsconfig.tests.json",
     "test": "vitest run",
     "test:coverage": "vitest run --coverage",
     "test:watch": "vitest",