@yemi33/minions 0.1.1616 → 0.1.1618

package/CHANGELOG.md

@@ -1,5 +1,15 @@
 # Changelog
 
+## 0.1.1618 (2026-04-29)
+
+### Features
+- fix protected-file guard (#1858)
+- fix canonical active PR gate (#1857)
+- document PR auto-fix trigger precedence (#1855)
+
+### Fixes
+- guard stale build & conflict auto-fixes with live pre-dispatch check (#1851)
+
 ## 0.1.1616 (2026-04-29)
 
 ### Features

package/dashboard.js

@@ -667,7 +667,7 @@ function ccSessionValid() {
 const CC_STATIC_SYSTEM_PROMPT = (() => {
   try {
     const raw = fs.readFileSync(path.join(MINIONS_DIR, 'prompts', 'cc-system.md'), 'utf8');
-    return raw.replace(/\{\{minions_dir\}\}/g, MINIONS_DIR);
+    return shared.renderCcSystemPrompt(raw, { liveRoot: MINIONS_DIR });
   } catch (e) {
     console.error('Failed to load prompts/cc-system.md:', e.message);
     return 'You are the Command Center AI for Minions. Delegate work to agents.';

package/docs/auto-discovery.md

@@ -32,9 +32,13 @@ Before scanning, the engine materializes plans and specs into project work items
 |----------|--------|---------------|
 | Minions review pending/waiting | Queue a code review | `review` |
 | Minions review `changes-requested` | Route back to author for fixes | `fix` |
+| Human feedback pending | Route back to author for fixes | `fix` |
 | `buildStatus: "failing"` | Route to any agent for build fix | `fix` |
+| `_mergeConflict: true` | Route to author for conflict resolution | `fix` |
 Skips PRs where `status !== "active"`.
 
+PR fix triggers are evaluated in this source order inside `discoverFromPrs()`: review feedback first (`engine.js:2166-2180`), human feedback second (`engine.js:2191-2226`), build failure third (`engine.js:2229-2271`), and merge conflict fourth (`engine.js:2299-2317`). Conflict fixes are additionally gated by `!fixDispatched` (`engine.js:2301`), so any earlier successful fix dispatch in the same PR discovery pass suppresses the conflict fix until a later pass.
+
 ### Source 2: PRD Gap Analysis (via `materializePlansAsWorkItems`)
 
 PRD items flow through `materializePlansAsWorkItems()`, which scans `~/.minions/prd/*.json` for PRD files with `missing` / `updated` / `planned` items and creates work items in the target project's queue.
@@ -413,4 +417,3 @@ All discovery behavior is controlled via `config.json`:
 ```
 
 To disable a work source for a project, set `"enabled": false`. To change where the engine looks for PRD or PR files, change the `path` field (resolved relative to `localPath`).
-

package/docs/pr-review-fix-loop.md

@@ -21,14 +21,23 @@ How the engine manages the lifecycle of a PR from creation through review, fix,
 - Stores `minionsReview: { reviewer, reviewedAt, note }`
 - Creates feedback file for author agent
 
-## 4. Fix dispatch (3 independent triggers, at most one per tick)
+## 4. Fix dispatch trigger order
+
+`discoverFromPrs()` evaluates PR auto-fix triggers in a fixed order during each discovery pass:
+
+1. Review feedback (`changes-requested`) — `engine.js:2166-2180`
+2. Human feedback (`humanFeedback.pendingFix` or coalesced feedback) — `engine.js:2191-2226`
+3. Build failure (`buildStatus === 'failing'`) — `engine.js:2229-2271`
+4. Merge conflict (`_mergeConflict`) — `engine.js:2299-2317`
+
+When multiple problems coexist, earlier triggers get the first chance to enqueue work. The local `fixDispatched` flag is declared before the fix triggers (`engine.js:2168`) and set after review-feedback, human-feedback, and build-failure dispatches (`engine.js:2180`, `engine.js:2226`, `engine.js:2271`). Conflict fixes run last and explicitly require `!fixDispatched` (`engine.js:2301`), so any earlier successful fix dispatch suppresses the conflict fix for that PR in the same discovery pass. Build fixes are evaluated after review and human feedback, but the build-fix condition itself is not gated by `!fixDispatched` (`engine.js:2238`).
 
 ### A. Review feedback (`changes-requested`)
 
 - Gate: `reviewStatus === 'changes-requested'` + `!awaitingReReview` + not dispatched + not on cooldown
 - Routes to PR author via `_author_` routing token
 - `review_note` = reviewer's feedback
-- Sets `fixDispatched = true` — prevents trigger B from also firing this tick
+- Sets `fixDispatched = true` — prevents human-feedback and conflict fixes from also firing this pass
 
 ### B. Human comments (`humanFeedback.pendingFix`)
 
@@ -43,6 +52,13 @@ How the engine manages the lifecycle of a PR from creation through review, fix,
 - **Grace period** (`_buildFixPushedAt`): after fix dispatches, waits `buildFixGracePeriod` (default 10min, configurable in `ENGINE_DEFAULTS`) for CI to run before re-dispatching. Cleared when poller detects build status transition (CI actually ran).
 - **Error logs**: GitHub fetches annotations (failures only, not warnings) + Actions job log (always). ADO queries builds API directly (not status checks), fetches build timeline → failed task logs (up to 10 per build, up to 10 failing pipelines).
 - **Escalation**: after 3 failed attempts, writes inbox alert, sets `buildFixEscalated = true`, stops auto-dispatch. Counter resets when build recovers.
+- Sets `fixDispatched = true` after dispatch so the later conflict trigger is suppressed in the same pass.
+
+### D. Merge conflicts (`_mergeConflict`)
+
+- Gate: `autoFixConflicts` + `status === 'active'` + `_mergeConflict` + `!fixDispatched`
+- Routes to the PR author to resolve target-branch conflicts
+- Runs after review, human, and build triggers; if any earlier trigger enqueued a fix for this PR, the conflict fix waits for a later discovery pass
 
 ## 5. Fix completes
 
@@ -71,7 +87,7 @@ How the engine manages the lifecycle of a PR from creation through review, fix,
 | Scenario | Guard |
 |---|---|
 | Simultaneous review + fix | `activePrIds` — skip PR if any dispatch in-flight |
-| Duplicate fix (review + human) | `fixDispatched` flag — only one fix per PR per tick |
+| Duplicate fix (review + human + conflict) | `fixDispatched` flag — later human/conflict triggers skip after earlier fix dispatches in the same PR pass |
 | Branch write conflict | `isBranchActive()` mutex |
 | Fix while awaiting re-review | `awaitingReReview` (waiting + fixedAt) |
 | Build fix before CI runs | `_buildFixPushedAt` grace period (10min) |

package/engine/ado.js

@@ -844,6 +844,77 @@ async function checkLiveReviewStatus(pr, project) {
   }
 }
 
+/**
+ * Cheap pre-dispatch freshness check for build status and merge-conflict state.
+ * Mirrors checkLiveReviewStatus — fetches PR data once, classifies builds for the
+ * current merge commit, and reports whether ADO still considers the PR conflicted.
+ *
+ * Returns null if the check can't run (no token, no PR number, network error) so
+ * callers can fall back to cached state. Otherwise returns:
+ *   {
+ *     buildStatus: 'failing' | 'passing' | 'running' | 'none' | null,
+ *     mergeConflict: boolean,
+ *   }
+ *
+ * `buildStatus` is null when ADO has builds on the merge ref but none target the
+ * current merge commit (target-branch advance with no source-side rebuild yet —
+ * matches pollPrStatus's "preserve previous buildStatus" semantics from issue
+ * #1233; the caller must trust the cached value).
+ */
+async function checkLiveBuildAndConflict(pr, project) {
+  try {
+    const token = await getAdoToken();
+    if (!token) return null;
+    const orgBase = shared.getAdoOrgBase(project);
+    const prNum = shared.getPrNumber(pr);
+    if (!prNum) return null;
+    const repoBase = `${orgBase}/${project.adoProject}/_apis/git/repositories/${project.repositoryId}`;
+    const prUrl = `${repoBase}/pullrequests/${prNum}?api-version=7.1`;
+    // 4s timeout — same budget as checkLiveReviewStatus. This is a pre-dispatch
+    // gate; we'd rather miss a freshness signal and fall back to cache than
+    // block dispatch on a slow ADO call.
+    const prData = await adoFetch(prUrl, token, { timeout: 4000 });
+    if (!prData) return null;
+
+    // Conflict signal — ADO reports `mergeStatus: 'conflicts'` when the merge
+    // would conflict; anything else means clean (or recomputing).
+    const mergeConflict = prData.mergeStatus === 'conflicts';
+
+    // Build signal — only meaningful when the PR is still open. We replicate
+    // pollPrStatus's narrowing logic so the live check and the cached poll
+    // agree on what 'failing' / 'passing' / 'running' / 'none' mean.
+    let buildStatus = null;
+    if (prData.status === 'active') {
+      const mergeCommitId = prData.lastMergeCommit?.commitId;
+      if (mergeCommitId) {
+        try {
+          const mergeRef = encodeURIComponent(`refs/pull/${prNum}/merge`);
+          const buildsUrl = `${orgBase}/${project.adoProject}/_apis/build/builds?branchName=${mergeRef}&repositoryId=${project.repositoryId}&repositoryType=TfsGit&$top=25&api-version=7.1`;
+          const buildsData = await adoFetch(buildsUrl, token, { timeout: 4000 });
+          const allBuilds = buildsData?.value || [];
+          const prBuilds = allBuilds.filter(b => b.sourceVersion === mergeCommitId);
+          if (prBuilds.length > 0) {
+            buildStatus = classifyBuildStatus(prBuilds);
+          } else if (allBuilds.length === 0) {
+            buildStatus = 'none';
+          }
+          // else: merge-commit mismatch — leave buildStatus null so caller
+          // falls back to cached state (issue #1233).
+        } catch (e) { log('warn', `Live build check builds query for ${pr.id}: ${e.message}`); }
+      } else {
+        // No merge commit yet — likely conflict or fresh PR. Treat as 'none'
+        // so a stale 'failing' cache can be cleared by the caller.
+        buildStatus = 'none';
+      }
+    }
+
+    return { buildStatus, mergeConflict };
+  } catch (e) {
+    log('warn', `Live build/conflict check for ${pr.id}: ${e.message}`);
+    return null;
+  }
+}
+
 async function fetchAdoPrMetadata(prNum, adoOrg, adoProj, adoRepo) {
   const token = await getAdoToken();
   if (!token) return null;
@@ -968,6 +1039,22 @@ function _setAdoThrottleForTest(state) {
   _adoThrottle._setForTest(state);
 }
 
+/** Inject a token into the cache — exported for testing only.
+ *  Lets tests exercise functions that call getAdoToken() without invoking azureauth.
+ *  Pass null to force getAdoToken() to return null synchronously (no exec). */
+function _setAdoTokenForTest(token) {
+  if (token == null) {
+    // Clear cache AND set a future failure backoff so getAdoToken short-circuits
+    // to null without spawning azureauth — otherwise tests would hang on the
+    // 15s execAsync timeout or open a real auth popup.
+    _adoTokenCache = { token: null, expiresAt: 0 };
+    _adoTokenFailedUntil = Date.now() + 60 * 60 * 1000;
+  } else {
+    _adoTokenCache = { token, expiresAt: Date.now() + 30 * 60 * 1000 };
+    _adoTokenFailedUntil = 0;
+  }
+}
+
 module.exports = {
   getAdoToken,
   adoFetch,
@@ -975,6 +1062,7 @@ module.exports = {
   pollPrHumanComments,
   reconcilePrs,
   checkLiveReviewStatus,
+  checkLiveBuildAndConflict,
   needsAdoPollRetry,
   isAdoAuthError, // exported for testing
   isAdoThrottled,
@@ -984,4 +1072,5 @@ module.exports = {
   findOpenPrOnBranch,
   _resetAdoThrottle, // exported for testing
   _setAdoThrottleForTest, // exported for testing
+  _setAdoTokenForTest, // exported for testing
 };

package/engine/copilot-models.json

@@ -1,5 +1,5 @@
 {
   "runtime": "copilot",
   "models": null,
-  "cachedAt": "2026-04-29T00:05:48.131Z"
+  "cachedAt": "2026-04-29T01:10:58.853Z"
 }

package/engine/github.js

@@ -789,11 +789,79 @@ async function checkLiveReviewStatus(pr, project) {
   }
 }
 
+/**
+ * Cheap pre-dispatch freshness check for build status and merge-conflict state.
+ * Mirrors checkLiveReviewStatus — fetches PR data once, classifies check-runs
+ * for the current head SHA, and reports whether GitHub still considers the PR
+ * unmergeable.
+ *
+ * Returns null if the check can't run (no slug/PR/network) so callers can fall
+ * back to cached state. Otherwise returns:
+ *   {
+ *     buildStatus: 'failing' | 'passing' | 'running' | 'none' | null,
+ *     mergeConflict: boolean,
+ *   }
+ *
+ * `mergeConflict` is true only when GitHub explicitly reports `mergeable: false`
+ * — `mergeable: null` means GitHub is still computing the merge state, so the
+ * caller should treat that as "no fresh signal" and trust the cache.
+ *
+ * `buildStatus` is null when we couldn't query check-runs or the PR isn't open;
+ * caller falls back to cached value.
+ */
+async function checkLiveBuildAndConflict(pr, project) {
+  try {
+    const slug = getRepoSlug(project);
+    if (!slug) return null;
+    const prNum = shared.getPrNumber(pr);
+    if (!prNum) return null;
+    const prData = await ghApi(`/pulls/${prNum}`, slug);
+    if (!prData || prData === GH_NOT_FOUND) return null;
+
+    // Conflict signal — only treat `mergeable === false` as a positive
+    // conflict. `null` means "GitHub still computing" → we have no fresh
+    // info, so fall back to whatever the cache says.
+    let mergeConflict;
+    if (prData.mergeable === false) mergeConflict = true;
+    else if (prData.mergeable === true) mergeConflict = false;
+    else mergeConflict = !!pr._mergeConflict; // computing — preserve cached view
+
+    // Build signal — only meaningful for open PRs. Mirrors pollPrStatus's
+    // check-runs classification so the live read and cached poll agree on
+    // 'failing' / 'passing' / 'running' / 'none'.
+    let buildStatus = null;
+    if (prData.state === 'open' && prData.head?.sha) {
+      try {
+        const checksData = await ghApi(`/commits/${prData.head.sha}/check-runs`, slug);
+        if (checksData && Array.isArray(checksData.check_runs)) {
+          const runs = checksData.check_runs;
+          if (runs.length === 0) {
+            buildStatus = 'none';
+          } else {
+            const hasFailed = runs.some(r => r.conclusion === 'failure' || r.conclusion === 'timed_out');
+            const allDone = runs.every(r => r.status === 'completed');
+            const allPassed = runs.every(r => r.conclusion === 'success' || r.conclusion === 'skipped' || r.conclusion === 'neutral');
+            if (hasFailed) buildStatus = 'failing';
+            else if (allDone && allPassed) buildStatus = 'passing';
+            else buildStatus = 'running';
+          }
+        }
+      } catch (e) { log('warn', `Live build check checks query for ${pr.id}: ${e.message}`); }
+    }
+
+    return { buildStatus, mergeConflict };
+  } catch (e) {
+    log('warn', `Live build/conflict check for ${pr.id}: ${e.message}`);
+    return null;
+  }
+}
+
 module.exports = {
   pollPrStatus,
   pollPrHumanComments,
   reconcilePrs,
   checkLiveReviewStatus,
+  checkLiveBuildAndConflict,
   isGhThrottled,
   getGhThrottleState,
   // Exported for testing

package/engine/lifecycle.js

@@ -2113,7 +2113,27 @@ function classifyFailure(code, stdout = '', stderr = '') {
   }
 
   // Permission / trust / auth failures
-  if (/permission denied|access denied|unauthorized|403 forbidden|trust.*blocked|auth.*fail/i.test(combined)) {
+  //
+  // History (W-moja4a5qp9pj): the previous patterns `trust.*blocked` and
+  // `auth.*fail` used unbounded greedy `.*`. JSONL agent init events that
+  // emit the entire skill / slash-command catalogue on a single line
+  // happen to contain words like `check-self-authored-...` and
+  // `diagnose-build-fail-...`, which made the greedy regex match across
+  // thousands of unrelated characters and silently flag healthy agents
+  // as PERMISSION_BLOCKED on any non-zero exit. Use anchored phrases that
+  // only match real auth/trust failure messages.
+  const _PERM_PHRASES = [
+    /\bpermission denied\b/i,
+    /\baccess denied\b/i,
+    /\bunauthorized\b/i,
+    /\b403 forbidden\b/i,
+    /\bauthentication (?:failed|error|failure)\b/i,
+    /\bauth(?:entication)? (?:fail(?:ed|ure|s)?|denied|rejected)\b/i,
+    /\btrust (?:gate|domain|zone|policy)? ?(?:is |was |has been )?(?:blocked|denied|rejected)\b/i,
+    /\bcredentials? (?:rejected|invalid|expired)\b/i,
+    /\btoken (?:rejected|invalid|expired|revoked)\b/i,
+  ];
+  if (_PERM_PHRASES.some(re => re.test(combined))) {
     return FAILURE_CLASS.PERMISSION_BLOCKED;
   }
 

package/engine/shared.js

@@ -1272,6 +1272,122 @@ function getAdoOrgBase(project) {
 
 // ── Path Sanitization ───────────────────────────────────────────────────────
 
+/**
+ * Files in the LIVE Minions checkout (MINIONS_DIR) that the Command Center
+ * must never edit directly. Three flavours:
+ *
+ *   - "basenames": exact relative paths under the live root (engine.js, dashboard.js,
+ *     minions.js, config.json — and the runtime state files engine/control.json
+ *     and engine/dispatch.json).
+ *   - "globs":     direct-child JS files under protected live directories
+ *     (engine/*.js, bin/*.js).
+ *   - "prefixes":  relative directory prefixes whose entire subtree is read-only
+ *     when it lives in the live root (dashboard/**).
+ *
+ * The list is intentionally small and explicit. It mirrors the textual rule in
+ * `prompts/cc-system.md`. Source of truth lives here; the system prompt renders
+ * `{{cc_protected_paths}}` from this list at startup so the two cannot drift.
+ *
+ * The guard is ROOT-AWARE: a path only counts as protected when its absolute
+ * resolution sits inside MINIONS_DIR. The same basename inside an isolated
+ * task worktree (e.g. `D:/worktrees/minions-work/W-xxx/dashboard.js`) is NOT
+ * protected — agents working in those copies are free to edit them, since
+ * git keeps changes inside the worktree until the agent pushes a branch.
+ */
+const _CC_PROTECTED_BASENAMES = Object.freeze([
+  'engine.js',
+  'dashboard.js',
+  'minions.js',
+  'config.json',
+  'engine/control.json',
+  'engine/dispatch.json',
+]);
+const _CC_PROTECTED_FILE_GLOBS = Object.freeze([
+  'engine/*.js',
+  'bin/*.js',
+]);
+const _CC_PROTECTED_PREFIXES = Object.freeze([
+  'dashboard/',
+]);
+
+/**
+ * Returns the literal text used by the CC system prompt for the protected-file
+ * rule. Combines the basenames + prefixes above into a single sentence so the
+ * authored rule and the helper that enforces it can never disagree.
+ *
+ * The result is anchored to a specific live root so the LLM can't conflate
+ * "edits to dashboard.js" with "edits to a worktree copy of dashboard.js".
+ */
+function describeCcProtectedPaths(liveRoot) {
+  const root = (liveRoot && typeof liveRoot === 'string') ? liveRoot : MINIONS_DIR;
+  const norm = root.replace(/\\/g, '/');
+  const basenames = _CC_PROTECTED_BASENAMES.map(b => '`' + b + '`').join(', ');
+  const globs = _CC_PROTECTED_FILE_GLOBS.map(g => '`' + g + '`').join(', ');
+  const prefixes = _CC_PROTECTED_PREFIXES.map(p => '`' + p + '**`').join(', ');
+  return `READ ONLY in the live checkout at \`${norm}\` — never write/edit: ${basenames}, ${globs}, ${prefixes}. This rule is path-scoped, not basename-scoped. Files with the same basename inside an isolated agent worktree (e.g. \`{worktreeRoot}/W-<id>/dashboard.js\`) are NOT protected — agents working in their own worktrees may edit any repository source the work item requires.`;
+}
+
+function renderCcSystemPrompt(raw, opts) {
+  const liveRoot = (opts && typeof opts.liveRoot === 'string') ? opts.liveRoot : MINIONS_DIR;
+  return String(raw || '')
+    .replace(/\{\{minions_dir\}\}/g, liveRoot)
+    .replace(/\{\{cc_protected_paths\}\}/g, describeCcProtectedPaths(liveRoot));
+}
+
+/**
+ * Is this absolute path a CC-protected file in the LIVE Minions checkout?
+ *
+ * Returns true ONLY if all three hold:
+ *   1. `absPath` resolves to something inside `liveRoot` (default: MINIONS_DIR).
+ *   2. Its relative path matches a protected basename (e.g. `dashboard.js`)
+ *      OR matches a protected direct-child glob (`engine/*.js`, `bin/*.js`)
+ *      OR sits under a protected directory prefix (`dashboard/`).
+ *   3. The input is a real string (no nullish, no non-string values).
+ *
+ * Returns false for:
+ *   - Paths outside `liveRoot` (worktrees, sibling repos, scratch dirs, etc.)
+ *   - Non-protected files inside `liveRoot` (notes.md, knowledge/foo.md, …)
+ *   - Invalid inputs (null/undefined/empty/non-string)
+ *
+ * Why this exists: PR W-moja4a5qp9pj. The CC system prompt previously named
+ * protected files by basename only ("never write/edit dashboard.js"). Agents
+ * dispatched into isolated worktrees inherited the same prose verbatim and
+ * occasionally interpreted it as banning their own worktree copy of those
+ * files, blocking otherwise legitimate fixes. The guard now distinguishes
+ * "same path, live tree" from "same basename, worktree copy".
+ */
+function isLiveCommandCenterPath(absPath, opts) {
+  if (typeof absPath !== 'string' || absPath.length === 0) return false;
+  if (absPath.includes('\0')) return false;
+  const liveRoot = (opts && typeof opts.liveRoot === 'string') ? opts.liveRoot : MINIONS_DIR;
+  const pathApi = /^[a-zA-Z]:[\\/]/.test(absPath) || /^[a-zA-Z]:[\\/]/.test(liveRoot) ? path.win32 : path;
+  let resolved;
+  let resolvedRoot;
+  try {
+    resolved = pathApi.resolve(absPath);
+    resolvedRoot = pathApi.resolve(liveRoot);
+  } catch { return false; }
+  // Must be inside liveRoot. Compare with trailing separator to avoid the
+  // sibling-prefix bug ("D:/squad-old" startsWith "D:/squad").
+  const rootWithSep = resolvedRoot.endsWith(pathApi.sep) ? resolvedRoot : (resolvedRoot + pathApi.sep);
+  const caseInsensitive = pathApi === path.win32 || process.platform === 'win32';
+  const cmpResolved = caseInsensitive ? resolved.toLowerCase() : resolved;
+  const cmpResolvedRoot = caseInsensitive ? resolvedRoot.toLowerCase() : resolvedRoot;
+  const cmpRootWithSep = caseInsensitive ? rootWithSep.toLowerCase() : rootWithSep;
+  if (cmpResolved !== cmpResolvedRoot && !cmpResolved.startsWith(cmpRootWithSep)) return false;
+  // Compute the path relative to the live root and normalize separators so
+  // the basename / prefix checks are platform-independent.
+  const rel = pathApi.relative(resolvedRoot, resolved).replace(/\\/g, '/');
+  if (rel === '' || rel === '.') return false; // root itself is not a "file"
+  const relForMatch = rel.toLowerCase();
+  if (_CC_PROTECTED_BASENAMES.includes(relForMatch)) return true;
+  if (/^(?:engine|bin)\/[^/]+\.js$/.test(relForMatch)) return true;
+  for (const prefix of _CC_PROTECTED_PREFIXES) {
+    if (relForMatch === prefix.slice(0, -1) /* exact dir */ || relForMatch.startsWith(prefix)) return true;
+  }
+  return false;
+}
+
 /**
  * Validate that a user-supplied filename stays within the given base directory.
  * Rejects path traversal (../, encoded variants), null bytes, and absolute paths.
@@ -2099,6 +2215,12 @@ module.exports = {
   getAdoOrgBase,
   sanitizePath,
   sanitizeBranch,
+  isLiveCommandCenterPath,
+  describeCcProtectedPaths,
+  renderCcSystemPrompt,
+  _CC_PROTECTED_BASENAMES, // exported for testing
+  _CC_PROTECTED_FILE_GLOBS, // exported for testing
+  _CC_PROTECTED_PREFIXES,  // exported for testing
   isAllowedOrigin,
   buildSecurityHeaders,
   hasDangerousKey,

package/engine.js

@@ -1581,8 +1581,8 @@ function reconcileItemsWithPrs(items, allPrs, { onlyIds } = {}) {
 // ─── Inbox Consolidation (extracted to engine/consolidation.js) ──────────────
 
 const { consolidateInbox } = require('./engine/consolidation');
-const { pollPrStatus, pollPrHumanComments, reconcilePrs, checkLiveReviewStatus: adoCheckLiveReview, needsAdoPollRetry, getAdoToken, isAdoThrottled } = require('./engine/ado');
-const { pollPrStatus: ghPollPrStatus, pollPrHumanComments: ghPollPrHumanComments, reconcilePrs: ghReconcilePrs, checkLiveReviewStatus: ghCheckLiveReview, isGhThrottled } = require('./engine/github');
+const { pollPrStatus, pollPrHumanComments, reconcilePrs, checkLiveReviewStatus: adoCheckLiveReview, checkLiveBuildAndConflict: adoCheckLiveBuildAndConflict, needsAdoPollRetry, getAdoToken, isAdoThrottled } = require('./engine/ado');
+const { pollPrStatus: ghPollPrStatus, pollPrHumanComments: ghPollPrHumanComments, reconcilePrs: ghReconcilePrs, checkLiveReviewStatus: ghCheckLiveReview, checkLiveBuildAndConflict: ghCheckLiveBuildAndConflict, isGhThrottled } = require('./engine/github');
 
 // ─── State Snapshot ─────────────────────────────────────────────────────────
 
@@ -2049,7 +2049,8 @@ async function discoverFromPrs(config, project) {
   for (const pr of prs) {
     if (pr.status !== PR_STATUS.ACTIVE || pr._contextOnly) continue;
     const prDisplayId = shared.getPrDisplayId(pr);
-    if (activePrIds.has(pr.id)) continue; // Skip PRs with active dispatch (prevent race)
+    const prCanonicalId = shared.getCanonicalPrId(project, pr, pr.url || '');
+    if (activePrIds.has(prCanonicalId)) continue; // Skip PRs with active dispatch (prevent race)
     // Branch mutex: skip if PR branch is locked by any active dispatch (cross-type collision)
     if (pr.branch && isBranchActive(pr.branch)) {
       log('info', `Branch mutex: skipping PR ${pr.id} dispatch — branch ${pr.branch} locked by another agent`);
@@ -2255,6 +2256,39 @@ async function discoverFromPrs(config, project) {
 
       const key = `build-fix-${project?.name || 'default'}-${prDisplayId}`;
       if (fixThrottled || isAlreadyDispatched(key) || isOnCooldown(key, cooldownMs)) continue;
+
+      // Pre-dispatch live build check — cached buildStatus may be stale: ADO can
+      // recompute the merge commit when master moves and pollPrStatus deliberately
+      // preserves the previous 'failing' value (issue #1233); GitHub check-runs
+      // may have flipped to 'passing' minutes before the next 12-tick poll. Mirror
+      // the review/re-review live-vote guard so we don't dispatch a fix for a
+      // build that has already recovered.
+      try {
+        const checkBcFn = project.repoHost === 'github' ? ghCheckLiveBuildAndConflict : adoCheckLiveBuildAndConflict;
+        const live = await checkBcFn(pr, project);
+        if (live && live.buildStatus && live.buildStatus !== 'failing') {
+          log('info', `Pre-dispatch build check: ${pr.id} build is ${live.buildStatus} (cached was failing) — skipping build-fix`);
+          // Persist the fresh status so subsequent ticks don't re-check on every pass
+          try {
+            mutatePullRequests(projectPrPath(project), prs => {
+              const target = shared.findPrRecord(prs, pr, project);
+              if (!target) return;
+              target.buildStatus = live.buildStatus;
+              if (live.buildStatus === 'passing') {
+                delete target.buildErrorLog;
+                delete target.buildFailReason;
+                delete target._buildFailNotified;
+                if (target.buildFixAttempts) {
+                  delete target.buildFixAttempts;
+                  delete target.buildFixEscalated;
+                }
+              }
+            });
+          } catch {}
+          continue;
+        }
+      } catch (e) { log('warn', `Pre-dispatch build check for ${pr.id}: ${e.message} — skipping dispatch`); continue; }
+
       const agentId = resolveAgent('fix', config, pr.agent);
       if (!agentId) continue;
 
@@ -2306,22 +2340,47 @@ async function discoverFromPrs(config, project) {
       const conflictFixedAt = pr._conflictFixedAt;
       const withinLag = conflictFixedAt && Date.now() - new Date(conflictFixedAt).getTime() < 10 * 60 * 1000;
       if (!withinLag && !fixThrottled && !isAlreadyDispatched(key) && !isOnCooldown(key, cooldownMs)) {
-        const agentId = resolveAgent('fix', config, pr.agent);
-        if (agentId) {
-          const item = buildPrDispatch(agentId, config, project, pr, 'fix', {
-            pr_id: pr.id, pr_branch: pr.branch || '',
-            review_note: `This PR has merge conflicts with the target branch. Resolve the conflicts:\n\n1. Pull latest from main/master\n2. Resolve all conflicts (prefer PR branch changes unless main has critical fixes)\n3. Build and test after resolving\n4. Push the resolved branch`,
-          }, `Fix merge conflicts on ${pr.id}: ${pr.title || ''}`, { dispatchKey: key, source: 'pr', pr, branch: pr.branch, project: projMeta });
-          if (item) {
-            newWork.push(item);
-            setCooldown(key);
-            // Record dispatch timestamp so re-dispatch is suppressed during ADO lag window
+        // Pre-dispatch live conflict check — cached `_mergeConflict` may be
+        // stale: ADO/GitHub recompute mergeStatus asynchronously (1–5 min lag),
+        // so a successful upstream merge can leave the flag set even after the
+        // conflict is gone. Mirror the review/re-review live-vote guard so we
+        // don't dispatch a conflict-fix for a PR that's already clean.
+        let liveSkip = false;
+        try {
+          const checkBcFn = project.repoHost === 'github' ? ghCheckLiveBuildAndConflict : adoCheckLiveBuildAndConflict;
+          const live = await checkBcFn(pr, project);
+          if (live && live.mergeConflict === false) {
+            log('info', `Pre-dispatch conflict check: ${pr.id} reports clean merge (cached was conflict) — skipping conflict-fix`);
             try {
               mutatePullRequests(projectPrPath(project), prs => {
                 const target = shared.findPrRecord(prs, pr, project);
-                if (target) target._conflictFixedAt = new Date().toISOString();
+                if (!target) return;
+                delete target._mergeConflict;
+                delete target._conflictFixedAt;
               });
-            } catch (e) { log('warn', `conflict-fix timestamp: ${e.message}`); }
+            } catch {}
+            liveSkip = true;
+          }
+        } catch (e) { log('warn', `Pre-dispatch conflict check for ${pr.id}: ${e.message} — skipping dispatch`); liveSkip = true; }
+
+        if (!liveSkip) {
+          const agentId = resolveAgent('fix', config, pr.agent);
+          if (agentId) {
+            const item = buildPrDispatch(agentId, config, project, pr, 'fix', {
+              pr_id: pr.id, pr_branch: pr.branch || '',
+              review_note: `This PR has merge conflicts with the target branch. Resolve the conflicts:\n\n1. Pull latest from main/master\n2. Resolve all conflicts (prefer PR branch changes unless main has critical fixes)\n3. Build and test after resolving\n4. Push the resolved branch`,
+            }, `Fix merge conflicts on ${pr.id}: ${pr.title || ''}`, { dispatchKey: key, source: 'pr', pr, branch: pr.branch, project: projMeta });
+            if (item) {
+              newWork.push(item);
+              setCooldown(key);
+              // Record dispatch timestamp so re-dispatch is suppressed during ADO lag window
+              try {
+                mutatePullRequests(projectPrPath(project), prs => {
+                  const target = shared.findPrRecord(prs, pr, project);
+                  if (target) target._conflictFixedAt = new Date().toISOString();
+                });
+              } catch (e) { log('warn', `conflict-fix timestamp: ${e.message}`); }
+            }
           }
         }
       }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@yemi33/minions",
-  "version": "0.1.1616",
+  "version": "0.1.1618",
   "description": "Multi-agent AI dev team that runs from ~/.minions/ — five autonomous agents share a single engine, dashboard, and knowledge base",
   "bin": {
     "minions": "bin/minions.js"

package/prompts/cc-system.md

@@ -17,7 +17,7 @@ Codex will review your changes — make sure your implementation is thorough and
 - Leave no stone unturned when implementing or explaining. Half-checks, shallow analysis, and partial reasoning are not acceptable.
 
 ## Guardrails
-READ ONLY — never write/edit: `engine.js`, `engine/*.js`, `dashboard.js`, `dashboard/**`, `minions.js`, `bin/*.js`, `engine/control.json`, `engine/dispatch.json`, `config.json`.
+{{cc_protected_paths}}
 CAN modify: notes, plans, knowledge, work items, pull-requests.json, routing.md, charters, skills, playbooks, project repos.
 
 ## Filesystem