@seanyao/roll 2026.528.1 → 2026.528.2

package/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Changelog
 
+## v2026.528.2
+
+### Added
+
+- **loop 换机器跑不会再拿过期 backlog** — 每轮自动拉最新项目元数据 `[loop]`
+- **CI 红了 loop 不再干等** — 先试着自己修，修不好再找人 `[loop]`
+
+### Fixed
+
+- **`roll loop log` 现在真的能看了** — 每轮 cycle 的留档修好了 `[loop]`
+- **loop 跑完的终端窗口不再瞬间清空** — 关闭前能看到本轮摘要 `[loop]`
+
 ## v2026.528.1
 
 ### Added

package/bin/roll

@@ -4,7 +4,7 @@ set -euo pipefail
 # Roll — AI Agent Convention Manager
 # Single source of truth for how all AI coding agents behave.
 
-VERSION="2026.528.1"
+VERSION="2026.528.2"
 ROLL_HOME="${ROLL_HOME:-${HOME}/.roll}"
 ROLL_CONFIG="${ROLL_HOME}/config.yaml"
 ROLL_GLOBAL="${ROLL_HOME}/conventions/global"
@@ -747,6 +747,22 @@ _setup_snapshot() {
 # _ROLL_SETUP_STATE. Caller passes the watch dir(s) plus the command + args.
 # stdout/stderr of the inner command are suppressed (same as the previous
 # pattern in cmd_setup) to keep the v2 UI render the only user-visible output.
+# US-INFRA-008: ensure core.hooksPath is set to 'hooks' so TCR pre-commit gate
+# is never silently bypassed in new clones, worktrees, or automated environments.
+# Idempotent: already set to a non-default value → leave it (user knows better).
+# Not a git repo → silently skip.
+_ensure_hooks_path() {
+  local repo_path="${1:-$PWD}"
+  # Must be a git repo
+  git -C "$repo_path" rev-parse --git-dir >/dev/null 2>&1 || return 0
+  local current; current=$(git -C "$repo_path" config core.hooksPath 2>/dev/null || echo "")
+  # Only set when unset or pointing at the git default (.git/hooks)
+  if [[ -z "$current" || "$current" == ".git/hooks" ]]; then
+    git -C "$repo_path" config core.hooksPath hooks 2>/dev/null || true
+  fi
+  return 0
+}
+
 _run_setup_step() {
   local watch="$1"; shift
   local before after
@@ -803,6 +819,10 @@ cmd_setup() {
   _run_setup_step "$ROLL_HOME/.peer-state" _peer_ensure_state_dir
   _record "$(_state_to_marker "$_ROLL_SETUP_STATE")" "Initialize peer-review state directory"
 
+  # US-INFRA-008: configure git hooks path so TCR pre-commit gate works in this repo
+  _run_setup_step "$PWD" _ensure_hooks_path
+  _record "$(_state_to_marker "$_ROLL_SETUP_STATE")" "Configure git hooks path"
+
   if command -v tmux >/dev/null 2>&1; then
     _record skip "Ensure tmux is installed (already present)"
   else
@@ -2719,7 +2739,7 @@ _peer_dispatch_in_tmux() {
   {
     printf '#!/bin/bash -l\n'
     # FIX-050: portable PATH assembly (was hardcoded /opt/homebrew/bin)
-    printf 'for _d in /opt/homebrew/bin /usr/local/bin /opt/local/bin "$HOME/.local/bin"; do\n'
+    printf 'for _d in /opt/homebrew/bin /usr/local/bin /opt/local/bin "$HOME/.local/bin" "$HOME/.kimi-code/bin"; do\n'
     printf '  case ":$PATH:" in *":$_d:"*) ;; *) [ -d "$_d" ] && PATH="$_d:$PATH" ;; esac\n'
     printf 'done; export PATH\n'
     printf '%s > %q 2> %q || true\n' "$cmd_str" "$out_file" "$err_file"
@@ -5563,6 +5583,8 @@ _detect_path_prepend() {
   [[ -d /usr/local/bin ]] && dirs+=("/usr/local/bin")
   [[ -d /opt/local/bin ]] && dirs+=("/opt/local/bin")
   [[ -d "$HOME/.local/bin" ]] && dirs+=("$HOME/.local/bin")
+  # FIX-129: kimi-code installs to ~/.kimi-code/bin (not brew/local), launchd misses it
+  [[ -d "$HOME/.kimi-code/bin" ]] && dirs+=("$HOME/.kimi-code/bin")
   dirs+=("/usr/bin" "/bin" "/usr/sbin" "/sbin")
   for d in "${dirs[@]}"; do
     case ":$seen:" in *":$d:"*) continue ;; esac
@@ -5728,7 +5750,7 @@ set -o pipefail
 # FIX-050: portable PATH assembly — launchd/cron deliver a bare PATH that
 # misses brew-installed tools (tmux, claude, node, …). Iterate candidate
 # dirs; only prepend when present and not already in PATH. Idempotent.
-for _d in /opt/homebrew/bin /usr/local/bin /opt/local/bin "\$HOME/.local/bin"; do
+for _d in /opt/homebrew/bin /usr/local/bin /opt/local/bin "\$HOME/.local/bin" "\$HOME/.kimi-code/bin"; do
   case ":\$PATH:" in *":\$_d:"*) ;; *) [ -d "\$_d" ] && PATH="\$_d:\$PATH" ;; esac
 done
 export PATH
@@ -6061,6 +6083,10 @@ _phase_begin startup
 _phase_end startup ok
 _phase_begin preflight
 cd "${project_path}" 2>/dev/null || true
+# US-INFRA-008: ensure git hooks are wired so TCR pre-commit gate can't be bypassed
+_ensure_hooks_path "${project_path}" 2>/dev/null || true
+# US-LOOP-056: sync .roll/ meta from roll-meta remote before backlog scan
+_loop_sync_meta "${project_path}" || true
 # FIX-104: GC stale merged temp branches at cycle entry — before worktree setup
 # and before any early-exit gate (pre-run abort, CI red precheck). The post-claude
 # call site doesn't cover those paths, so merged branches accumulated on origin.
@@ -6372,7 +6398,7 @@ INNER
 # FIX-050: portable PATH assembly before any brew-tool lookup (tmux, caffeinate
 # on some systems, claude). Mirrors the inner script's bootstrap so even when
 # launchd's plist EnvironmentVariables is stale, the runner self-repairs.
-for _d in /opt/homebrew/bin /usr/local/bin /opt/local/bin "\$HOME/.local/bin"; do
+for _d in /opt/homebrew/bin /usr/local/bin /opt/local/bin "\$HOME/.local/bin" "\$HOME/.kimi-code/bin"; do
   case ":\$PATH:" in *":\$_d:"*) ;; *) [ -d "\$_d" ] && PATH="\$_d:\$PATH" ;; esac
 done
 export PATH
@@ -6459,10 +6485,24 @@ if command -v tmux >/dev/null 2>&1; then
   tmux list-sessions -F "#{session_name}" 2>/dev/null | grep "^roll-loop-${slug}\$" | while read _s; do
     tmux kill-session -t "\$_s" 2>/dev/null || true
   done
-  tmux new-session -d -s "\$SESSION" -x 200 -y 50 "bash \"\$INNER_SCRIPT\""
-  CYCLE_LOG_RAW="${project_path}/.roll/cycle-logs/.pipe-\$\$.raw"
+  # FIX-132: syntax-check the inner script before spawning the tmux session.
+  # A heredoc quoting regression or mid-cycle regeneration can silently produce
+  # a syntactically broken script; catching it here prevents the session from
+  # starting in a corrupted state and logging a misleading "exited 0, retrying".
+  if ! bash -n "\$INNER_SCRIPT" 2>>"\$LOG"; then
+    echo "[\$(date '+%Y-%m-%dT%H:%M:%S%z')] ABORT: inner script failed syntax check — cycle skipped (see log: \$LOG)" >> "\$LOG"
+    exit 1
+  fi
+  # FIX-130: export ROLL_CYCLE_LOG_RAW BEFORE spawning the tmux session so
+  # the inner script inherits it (env vars are inherited at spawn time, not
+  # retroactively — exporting after new-session means inner never sees it and
+  # _inner_cleanup skips log archiving, leaving only orphan .pipe-*.raw files).
   mkdir -p "${project_path}/.roll/cycle-logs"
+  # Clean orphan .pipe-*.raw files from previous crashed cycles
+  find "${project_path}/.roll/cycle-logs" -name '.pipe-*.raw' -delete 2>/dev/null || true
+  CYCLE_LOG_RAW="${project_path}/.roll/cycle-logs/.pipe-\$\$.raw"
   export ROLL_CYCLE_LOG_RAW="\$CYCLE_LOG_RAW"
+  tmux new-session -d -s "\$SESSION" -x 200 -y 50 "bash \"\$INNER_SCRIPT\""
   tmux pipe-pane -t "\$SESSION" "tee -a \"\$LOG\" >> \"\$ROLL_CYCLE_LOG_RAW\""
   # Auto-attach popup: when not muted, spawn a Terminal.app window attached
   # to the tmux session so the user can watch the loop work in real time.
@@ -6481,7 +6521,9 @@ if command -v tmux >/dev/null 2>&1; then
     # window closes the instant the tmux session ends (cycle_end kills
     # the session) and the entire scrollback disappears with it; the
     # cron-<slug>.log file still has the full transcript as a fallback.
-    printf '#!/bin/bash\\ntmux attach -t %s\\necho\\necho "================================================================"\\necho "  cycle ended. log: ~/.shared/roll/loop/cron-%s.log"\\necho "  press enter to close this window."\\necho "================================================================"\\nread _\\n' \\
+    # FIX-131: after tmux session ends, open the cron log with less so the
+    # user can scroll through the full cycle output instead of seeing nothing.
+    printf '#!/bin/bash\\ntmux attach -t %s 2>/dev/null\\nLOGFILE=~/.shared/roll/loop/cron-%s.log\\necho\\nif [ -f "\$LOGFILE" ]; then\\n  echo "================================================================"\\n  echo "  Cycle ended  —  showing log (arrows to scroll, q to close)"\\n  echo "================================================================"\\n  less -R +G "\$LOGFILE"\\nelse\\n  echo "================================================================"\\n  echo "  Cycle ended. Log not found: \$LOGFILE"\\n  echo "  press enter to close."\\n  echo "================================================================"\\n  read _\\nfi\\n' \\
       "\$SESSION" "${slug}" > "\$_attach_cmd" 2>/dev/null || true
     chmod +x "\$_attach_cmd" 2>/dev/null || true
     open -g -a Terminal "\$_attach_cmd" >/dev/null 2>&1 || true
@@ -6710,10 +6752,11 @@ cmd_loop() {
     resume)  _loop_resume ;;
     reset)   _loop_reset ;;
     gc)      shift; _loop_gc "$@" ;;
-    notify)       _notify "${1:-roll}" "${2:-}" ;;
-    enforce-tcr)  _loop_enforce_tcr "${1:-}" "${2:-}" ;;
-    precheck-ci)  _loop_precheck_ci ;;
-    branches)     _loop_branches "$(pwd -P)" ;;
+    notify)               _notify "${1:-roll}" "${2:-}" ;;
+    enforce-tcr)          _loop_enforce_tcr "${1:-}" "${2:-}" ;;
+    precheck-ci)          _loop_precheck_ci ;;
+    hotfix-head-context)  _loop_hotfix_head_context "${1:-}" ;;
+    branches)             _loop_branches "$(pwd -P)" ;;
     *)  cat <<'HELP'
 Usage: roll loop <on|off|now|test|status|monitor|runs|log|story|events|attach|mute|unmute|pause|resume|reset|gc|branches>
 
@@ -7741,6 +7784,66 @@ _ci_wait() {
 }
 
 # Pre-run CI health check — call before picking up new stories.
+# US-LOOP-056: sync .roll/ (roll-meta private submodule) before each cycle so
+# the cycle always runs against the latest backlog. Fail-soft: any error emits
+# a meta_sync event and returns 0 so the cycle continues with stale/existing meta.
+#
+# Statuses emitted via _loop_event meta_sync:
+#   ok      – fetch + reset --hard succeeded
+#   stale   – fetch failed; existing .roll/ used as fallback
+#   skipped – no git remote configured (not a roll-meta managed project)
+#
+# Env override: ROLL_LOOP_META_SYNC_TIMEOUT (default 15) controls fetch timeout.
+_loop_sync_meta() {
+  local project_path="$1"
+  local roll_meta="${project_path}/.roll"
+  local timeout_sec="${ROLL_LOOP_META_SYNC_TIMEOUT:-15}"
+  local cid="${CYCLE_ID:-unknown}"
+  local slug="${_LOOP_PROJ_SLUG:-$(_project_slug 2>/dev/null || echo unknown)}"
+  local shared_dir="${_SHARED_ROOT:-$HOME/.shared/roll}/loop"
+  local fail_counter="${shared_dir}/meta-sync-fail-${slug}"
+
+  # Detect remote via the canonical probe point. If .roll/ has no .git or no
+  # remote configured, treat as "not managed" and skip silently.
+  local remote_url
+  remote_url=$(git -C "$roll_meta" remote get-url origin 2>/dev/null || echo "")
+  if [ -z "$remote_url" ]; then
+    return 0
+  fi
+
+  # Attempt fetch with timeout
+  local _fetch_ok=0
+  if command -v timeout >/dev/null 2>&1; then
+    timeout "$timeout_sec" git -C "$roll_meta" fetch --quiet 2>/dev/null && _fetch_ok=1
+  else
+    git -C "$roll_meta" fetch --quiet 2>/dev/null && _fetch_ok=1
+  fi
+
+  if [ "$_fetch_ok" -eq 1 ]; then
+    if git -C "$roll_meta" reset --hard origin/main --quiet 2>/dev/null; then
+      _loop_event meta_sync "$cid" "ok" "" 2>/dev/null || true
+      # US-LOOP-057: reset consecutive failure counter on success
+      rm -f "$fail_counter" 2>/dev/null || true
+      return 0
+    fi
+  fi
+
+  # Fetch or reset failed — stale .roll/ used; cycle continues
+  _loop_event meta_sync "$cid" "stale" "fetch/reset failed" 2>/dev/null || true
+
+  # US-LOOP-057: increment failure counter; write ALERT after 3 consecutive failures
+  mkdir -p "$shared_dir" 2>/dev/null || true
+  local count=0
+  [ -f "$fail_counter" ] && count=$(cat "$fail_counter" 2>/dev/null || echo 0)
+  count=$(( count + 1 ))
+  printf '%s\n' "$count" > "$fail_counter"
+  if [ "$count" -ge 3 ]; then
+    printf '[%s] roll-meta sync consecutive failures: %d times. Check SSH key / network.\n  Last error: fetch/reset failed for %s\n' \
+      "$(date -u +%Y-%m-%dT%H:%M:%SZ)" "$count" "$remote_url" >> "${shared_dir}/ALERT-${slug}.md" 2>/dev/null || true
+  fi
+  return 0
+}
+
 # Refuses to build on a red base (HEAD CI failed). Lenient on unknown states
 # (gh missing, repo unparseable, no runs yet) — the post-build _loop_enforce_ci
 # is the strict gate.
@@ -7773,6 +7876,38 @@ _loop_precheck_ci() {
     run_states=$(echo "$runs" \
       | jq -r '[.[] | "\(.status // "?")/\(.conclusion // "null")"] | unique | join(", ")' \
       2>/dev/null || echo "?")
+
+    # US-LOOP-046/048: check whether hot-fix path is allowed before aborting.
+    # ROLL_LOOP_NO_HEAL=1 or ROLL_LOOP_HEAL_MAX=0 → fall through to original abort.
+    local _heal_max="${ROLL_LOOP_HEAL_MAX:-2}"
+    if [[ "${ROLL_LOOP_NO_HEAL:-}" != "1" ]] && [[ "$_heal_max" -gt 0 ]]; then
+      local _state_file="${_SHARED_ROOT:-$HOME/.shared/roll}/loop/state-${_LOOP_PROJ_SLUG:-$(basename "$PWD")}.yaml"
+      local _heal_key="heal_count_head_${commit:0:8}"
+      local _count=0
+      [[ -f "$_state_file" ]] && _count=$(grep "^${_heal_key}:" "$_state_file" 2>/dev/null | awk '{print $2}' || echo 0)
+      _count=$(( ${_count:-0} + 0 ))  # coerce to int
+      if [[ "$_count" -lt "$_heal_max" ]]; then
+        # Increment counter and signal hot-fix path to the agent
+        _count=$(( _count + 1 ))
+        mkdir -p "$(dirname "$_state_file")" 2>/dev/null || true
+        if [[ -f "$_state_file" ]]; then
+          # Update existing key or append
+          if grep -q "^${_heal_key}:" "$_state_file" 2>/dev/null; then
+            local _tmp; _tmp=$(mktemp)
+            grep -v "^${_heal_key}:" "$_state_file" > "$_tmp" 2>/dev/null || true
+            printf '%s: %d\n' "$_heal_key" "$_count" >> "$_tmp"
+            mv "$_tmp" "$_state_file"
+          else
+            printf '%s: %d\n' "$_heal_key" "$_count" >> "$_state_file"
+          fi
+        else
+          printf '%s: %d\n' "$_heal_key" "$_count" > "$_state_file"
+        fi
+        # Exit 2 signals the agent: CI is red, hot-fix path is available
+        return 2
+      fi
+    fi
+
     err "$(msg loop.pre_run_ci_check_head_ci ${short})"
     mkdir -p "$(dirname "$_LOOP_ALERT")"
     cat > "$_LOOP_ALERT" << EOF
@@ -7795,6 +7930,62 @@ EOF
   return 0
 }
 
+# US-LOOP-047: hot-fix context factory for HEAD CI failures.
+# Captures failing run logs + recent commit diff, writes to /tmp/roll-heal-head-<sha>.log
+# Returns 0 and prints the log path on success; 1 if context could not be gathered.
+_loop_hotfix_head_context() {
+  local commit="${1:-$(git rev-parse HEAD 2>/dev/null)}"
+  [[ -z "$commit" ]] && return 1
+  local short="${commit:0:8}"
+  local outfile="/tmp/roll-heal-head-${short}.log"
+  local slug; _gh_resolve slug || slug="unknown"
+
+  {
+    printf '=== CI Hot-fix Context: HEAD %s ===\n\n' "$short"
+    printf '--- Recent commits ---\n'
+    git log --oneline -5 2>/dev/null || true
+    printf '\n--- Diff of last commit ---\n'
+    git show --stat HEAD 2>/dev/null | head -40 || true
+    printf '\n--- CI failure logs (head 200 lines) ---\n'
+    local run_id
+    run_id=$(gh -R "$slug" run list --commit "$commit" \
+      --json databaseId,conclusion -L 5 2>/dev/null \
+      | jq -r '.[] | select(.conclusion=="failure") | .databaseId' 2>/dev/null | head -1)
+    if [[ -n "$run_id" ]]; then
+      gh -R "$slug" run view --log-failed "$run_id" 2>/dev/null | head -200 || true
+    else
+      printf '(no failed run found for commit %s)\n' "$short"
+    fi
+  } > "$outfile" 2>/dev/null
+  printf '%s\n' "$outfile"
+  return 0
+}
+
+# US-LOOP-050: PR hot-fix entry point.
+# Checks out the PR branch, captures CI failure logs, and prepares context
+# for a roll-fix invocation on the PR branch.
+# Usage: _loop_hot_fix_pr <pr_number>
+_loop_hot_fix_pr() {
+  local pr_num="$1"
+  [[ -z "$pr_num" ]] && return 1
+  local slug; _gh_resolve slug || return 1
+  local outfile="/tmp/roll-heal-pr-${pr_num}.log"
+  local run_id
+  run_id=$(gh -R "$slug" run list --json databaseId,conclusion,headBranch -L 20 2>/dev/null \
+    | jq -r --argjson pr "\"$pr_num\"" \
+      '.[] | select(.conclusion=="failure") | .databaseId' 2>/dev/null | head -1)
+  {
+    printf '=== PR #%s CI Hot-fix Context ===\n\n' "$pr_num"
+    if [[ -n "$run_id" ]]; then
+      gh -R "$slug" run view --log-failed "$run_id" 2>/dev/null | head -200 || true
+    else
+      printf '(no failed run found for PR #%s)\n' "$pr_num"
+    fi
+  } > "$outfile" 2>/dev/null
+  printf '%s\n' "$outfile"
+  return 0
+}
+
 # _loop_diagnose_open_prs <slug>
 #   Appended to ALERT when CI is red on HEAD.
 #   For each open PR targeting main: lists CI failing tests + changed files,
@@ -8029,7 +8220,14 @@ _loop_pr_classify() {
   local mergeable="${4:-}"
 
   case "$head_ref" in
-    loop/*) echo "loop_self"; return 0 ;;
+    loop/*)
+      # US-LOOP-049: loop/* PRs with CI failure get their own classification
+      # so _loop_pr_inbox can route them to the PR hot-fix path.
+      if [[ "$ci_state" == "failure" ]]; then
+        echo "loop_self_ci_red"; return 0
+      fi
+      echo "loop_self"; return 0
+      ;;
   esac
 
   case "$human_review" in

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@seanyao/roll",
-  "version": "2026.528.1",
+  "version": "2026.528.2",
   "description": "Roll — Roll out features with AI agents",
   "scripts": {
     "test": "bash tests/run.sh"

package/skills/roll-loop/SKILL.md

@@ -125,16 +125,26 @@ readers. The rule mirrors the gate in Step 2.
 ### Step 1.5 — Pre-run CI Health Check
 
 Call `roll loop precheck-ci` before scanning BACKLOG. This is a **defensive gate**
-against building on a broken base — if the most recent commit on the branch
-has red CI, the loop must not stack new commits on top (which would create the
-exact stuck-red state FIX-026 traces to).
-
-- HEAD CI green / pending / no-run-yet → proceed to Step 2.
-- HEAD CI red → write ALERT, **do not pick up any stories this cycle**,
-  exit cleanly. The next cycle will retry; the human must fix CI manually
-  (typically by reverting or pushing a green commit) before the loop resumes.
-- `gh` missing or repo unparseable → graceful skip (`roll loop precheck-ci`
-  returns 0); the post-build `_loop_enforce_ci` remains the strict gate.
+against building on a broken base. Check the **exit code** and route accordingly:
+
+| Exit code | Meaning | Action |
+|-----------|---------|--------|
+| `0` | CI green / pending / unknown | Proceed to Step 1.6 (PR Inbox) and Step 2 (BACKLOG scan) |
+| `1` | CI red AND heal exhausted or `ROLL_LOOP_NO_HEAL=1` | ALERT already written; exit cleanly this cycle |
+| `2` | CI red AND heal attempt allowed (US-LOOP-046) | **Hot-fix path** — skip BACKLOG, fix CI instead (see below) |
+
+`gh` missing or repo unparseable → `precheck-ci` returns `0`; graceful skip.
+
+**Hot-fix path (exit code 2) — US-LOOP-046:**
+
+Do NOT pick any BACKLOG stories this cycle. Instead:
+
+1. Capture context: `roll loop hotfix-head-context` → prints path to context log
+2. Invoke `Skill("roll-fix")` with brief:
+   `"CI red on HEAD. Failing run logs at <context-log-path>. Diagnose root cause, fix via TCR, commit, push. Do NOT change BACKLOG status."`
+3. After `roll-fix` completes, re-run `roll ci --wait` to verify the fix
+4. If CI is still red: run `roll loop precheck-ci` again; if it returns `1` (heal exhausted),
+   exit cleanly — ALERT was already written by the precheck
 
 ### Step 1.6 — PR Inbox (US-AUTO-034)