@yemi33/minions 0.1.1923 → 0.1.1925

package/dashboard/js/settings.js

@@ -97,7 +97,7 @@ async function openSettings() {
       settingsToggle('Allow Temp Agents', 'set-allowTempAgents', !!e.allowTempAgents, 'Spawn ephemeral agents when all permanent agents are busy') +
       settingsToggle('Auto-archive Plans', 'set-autoArchive', !!e.autoArchive, 'Automatically archive plans after verify completes (off = manual archive via dashboard)') +
       settingsToggle('Auto-complete PRs', 'set-autoCompletePrs', !!e.autoCompletePrs, 'Auto-merge PRs when builds pass and review is approved (opt-in)') +
-      settingsToggle('CC Worker Pool', 'set-ccUseWorkerPool', !!e.ccUseWorkerPool, 'Route Command Center / doc-chat through a persistent copilot --acp worker per tab instead of spawning a fresh CLI per turn (opt-in)') +
+      settingsToggle('CC Worker Pool', 'set-ccUseWorkerPool', (e.ccUseWorkerPool === undefined ? ((e.ccCli || e.defaultCli) === 'copilot') : !!e.ccUseWorkerPool), 'Route Command Center / doc-chat through a persistent copilot --acp worker per tab instead of spawning a fresh CLI per turn. Default ON for copilot runtime (cold-spawn is ~20s on Windows); default OFF for claude.') +
     '</div>' +
 
     '<h3 style="font-size:13px;color:var(--blue);margin-bottom:8px">PR Polling &amp; Dispatch Gates</h3>' +

package/dashboard.js

@@ -1190,21 +1190,24 @@ function getDiskVersion() {
 }
 
 // ── MCP server discovery ─────────────────────────────────────────────────────
-// Mirrors what each CLI actually loads at runtime:
-//   • `claude mcp list`         → user + plugin (+ workspace if cwd in project)
-//   • `copilot mcp list --json` → user + workspace + plugin + builtin (merged)
+// Reads MCP server registrations directly from each CLI's config file:
+//   • `~/.claude.json` → `mcpServers` (Claude user scope)
+//   • `~/.copilot/mcp-config.json` → `mcpServers` (Copilot user scope)
 //   • Each registered project's `<localPath>/.mcp.json` → workspace scope
 //
-// CLI calls are slow (claude health-checks every server on stdio), so we cache
-// for ~5 minutes and refresh in the background. getMcpServers() always returns
-// synchronously from cache; first call before background fill returns [].
+// We used to shell out to `claude mcp list` + `copilot mcp list --json`, but
+// `claude mcp list` blocks on a TTY check when the dashboard daemon has no
+// parent console (bin/minions.js spawns it with windowsHide:true), so every
+// refresh timed out and the cache stayed empty. File reads are zero-spawn and
+// the config files are the authoritative source for registration.
+//
+// Cost: we lose live connection status (✓ Connected / ! Needs auth) and the
+// Claude plugin: <plugin>:<server> rows. The UI shows status only in a hover
+// tooltip, and plugin servers are rare; reliability matters more.
 
 const _MCP_CACHE_TTL = 5 * 60 * 1000;
-const _MCP_CLAUDE_TIMEOUT = 30000;
-const _MCP_COPILOT_TIMEOUT = 15000;
 let _mcpServersCache = null;
 let _mcpServersCacheTs = 0;
-let _mcpRefreshInflight = null;
 
 function _parseClaudeMcpListLine(line) {
   const trimmed = (line || '').trim();
@@ -1248,19 +1251,43 @@ function _parseCopilotMcpListJson(raw) {
   } catch { return []; }
 }
 
-function _runCliAsync(cmd, args, timeoutMs) {
-  return new Promise(resolve => {
-    try {
-      const { exec } = require('child_process');
-      // exec() runs through the shell so Windows resolves .cmd/.exe shims off
-      // PATH. Args are static so there's no injection surface.
-      const line = [cmd, ...args].join(' ');
-      exec(line, {
-        timeout: timeoutMs, windowsHide: true, encoding: 'utf8',
-        maxBuffer: 1024 * 1024,
-      }, (err, stdout) => resolve(err ? null : stdout));
-    } catch { resolve(null); }
-  });
+// Read Claude's user-scope MCP servers from `~/.claude.json` directly.
+// Shelling out to `claude mcp list` is unreliable from the dashboard daemon —
+// the CLI's MCP health probes block on a TTY check when the parent has no
+// console (bin/minions.js launches the dashboard with windowsHide:true), and
+// neither exec() nor spawn(..., {detached:true}) reliably sidesteps it.
+// Config-file reads are zero-spawn, instant, and the file is the authoritative
+// source for which servers are registered.
+function _readClaudeUserMcpServers() {
+  try {
+    const data = safeJsonObj(path.join(os.homedir(), '.claude.json'));
+    const servers = data?.mcpServers || {};
+    return Object.entries(servers).map(([name, cfg]) => ({
+      name,
+      source: 'Claude user',
+      command: cfg.command || cfg.url || '',
+      args: Array.isArray(cfg.args) ? cfg.args.join(' ') : (cfg.args || ''),
+    }));
+  } catch { return []; }
+}
+
+// Copilot stores its MCP config at `~/.copilot/mcp-config.json` (may have a
+// UTF-8 BOM — Windows tooling tends to write one).
+function _readCopilotUserMcpServers() {
+  try {
+    const configPath = path.join(os.homedir(), '.copilot', 'mcp-config.json');
+    if (!fs.existsSync(configPath)) return [];
+    let raw = fs.readFileSync(configPath, 'utf8');
+    if (raw.charCodeAt(0) === 0xFEFF) raw = raw.slice(1);
+    const data = JSON.parse(raw);
+    const servers = data?.mcpServers || {};
+    return Object.entries(servers).map(([name, cfg]) => ({
+      name,
+      source: 'Copilot',
+      command: cfg.command || cfg.url || '',
+      args: Array.isArray(cfg.args) ? cfg.args.join(' ') : (cfg.args || ''),
+    }));
+  } catch { return []; }
 }
 
 function _readWorkspaceMcpServers(projects) {
@@ -1293,42 +1320,26 @@ function _dedupeMcpServers(entries) {
   return out;
 }
 
-async function _refreshMcpServersCache() {
-  if (_mcpRefreshInflight) return _mcpRefreshInflight;
-  _mcpRefreshInflight = (async () => {
-    try {
-      const [claudeOut, copilotOut] = await Promise.all([
-        _runCliAsync('claude', ['mcp', 'list'], _MCP_CLAUDE_TIMEOUT),
-        _runCliAsync('copilot', ['mcp', 'list', '--json'], _MCP_COPILOT_TIMEOUT),
-      ]);
-      const claudeEntries = (claudeOut || '').split(/\r?\n/).map(_parseClaudeMcpListLine).filter(Boolean);
-      const copilotEntries = _parseCopilotMcpListJson(copilotOut || '{}');
-      const workspaceEntries = _readWorkspaceMcpServers(PROJECTS);
-      _mcpServersCache = _dedupeMcpServers([...claudeEntries, ...copilotEntries, ...workspaceEntries]);
-      _mcpServersCacheTs = Date.now();
-    } catch (e) {
-      console.error('[mcp-discovery] refresh failed:', e.message?.split('\n')?.[0]);
-      if (!_mcpServersCache) _mcpServersCache = [];
-      _mcpServersCacheTs = Date.now();
-    } finally {
-      _mcpRefreshInflight = null;
-    }
-  })();
-  return _mcpRefreshInflight;
-}
-
 function getMcpServers() {
   const now = Date.now();
-  if (!_mcpServersCache || (now - _mcpServersCacheTs) >= _MCP_CACHE_TTL) {
-    _refreshMcpServersCache().catch(() => {});
+  if (_mcpServersCache && (now - _mcpServersCacheTs) < _MCP_CACHE_TTL) {
+    return _mcpServersCache;
+  }
+  try {
+    const entries = [
+      ..._readClaudeUserMcpServers(),
+      ..._readCopilotUserMcpServers(),
+      ..._readWorkspaceMcpServers(PROJECTS),
+    ];
+    _mcpServersCache = _dedupeMcpServers(entries);
+  } catch (e) {
+    console.error('[mcp-discovery] refresh failed:', e.message?.split('\n')?.[0]);
+    if (!_mcpServersCache) _mcpServersCache = [];
   }
-  return _mcpServersCache || [];
+  _mcpServersCacheTs = now;
+  return _mcpServersCache;
 }
 
-// Kick off first discovery on startup so the dashboard has data before the
-// first slow-state rebuild.
-_refreshMcpServersCache().catch(() => {});
-
 function parsePinnedEntries(content) {
   if (!content) return [];
   const entries = [];
@@ -2622,7 +2633,7 @@ async function ccCall(message, { store = 'cc', sessionKey, extraContext, label =
   // alongside docSessions._docHash would risk the next call hitting the
   // "doc unchanged → skip context" branch after the idle reaper killed the
   // worker, silently starving the new ACP session of the doc body.
-  if (store === 'doc' && CONFIG.engine && CONFIG.engine.ccUseWorkerPool && sessionKey) {
+  if (store === 'doc' && shared.resolveCcUseWorkerPool(CONFIG.engine) && sessionKey) {
     const poolPrompt = (function buildPoolPrompt() {
       const parts = !skipStatePreamble ? [`## Current Minions State (${new Date().toISOString().slice(0, 16)})\n\n${buildCCStatePreamble()}`] : [];
       if (extraContext) parts.push(extraContext);
@@ -2763,7 +2774,7 @@ async function ccCallStreaming(message, { store = 'cc', sessionKey, extraContext
   // keeps receiving accumulated text per the callLLMStreaming contract.
   // We also do NOT call updateSession() — see ccCall for the
   // docSessions-eviction-vs-_docHash staleness rationale.
-  if (store === 'doc' && CONFIG.engine && CONFIG.engine.ccUseWorkerPool && sessionKey) {
+  if (store === 'doc' && shared.resolveCcUseWorkerPool(CONFIG.engine) && sessionKey) {
     const poolPrompt = (function buildPoolPrompt() {
       const parts = !skipStatePreamble ? [`## Current Minions State (${new Date().toISOString().slice(0, 16)})\n\n${buildCCStatePreamble()}`] : [];
       if (extraContext) parts.push(extraContext);
@@ -3227,7 +3238,7 @@ async function ccDocCall({ message, document, title, filePath, selection, canEdi
   // that has never seen the doc. See _buildDocChatPass for the read-side
   // rationale; see the post-call write-back below for the symmetric write
   // guard.
-  const usePool = !!(CONFIG.engine && CONFIG.engine.ccUseWorkerPool && sessionKey);
+  const usePool = !!(shared.resolveCcUseWorkerPool(CONFIG.engine) && sessionKey);
 
   // Build the pass once for the first call; the retry helper invokes runOnce()
   // with no args after invalidating the session, so a fresh build there reflects
@@ -3308,7 +3319,7 @@ async function ccDocCallStreaming({ message, document, title, filePath, selectio
   // Sub-task D of W-mp2w003600196c51: see ccDocCall above for the
   // read-side / write-side rationale; the streaming variant mirrors the
   // same usePool guard.
-  const usePool = !!(CONFIG.engine && CONFIG.engine.ccUseWorkerPool && sessionKey);
+  const usePool = !!(shared.resolveCcUseWorkerPool(CONFIG.engine) && sessionKey);
 
   // Build the pass once; see ccDocCall for the dedup rationale.
   const initialPass = _buildDocChatPass({
@@ -6089,7 +6100,7 @@ What would you like to discuss or change? When you're happy, say "approve" and I
       // per-tab handles in dashboard state, and matches "tab close" semantics
       // — if the user explicitly aborted, we don't owe them a warm process).
       // Off when the flag is off so legacy SIGTERM-only behavior is preserved.
-      if (CONFIG.engine && CONFIG.engine.ccUseWorkerPool) {
+      if (shared.resolveCcUseWorkerPool(CONFIG.engine)) {
         try { ccWorkerPool.closeTab(tabId); } catch { /* swallow */ }
       }
       _clearCcLiveStream(tabId);
@@ -6234,7 +6245,7 @@ What would you like to discuss or change? When you're happy, say "approve" and I
    * test enforces engine.js does not import cc-worker-pool).
    */
   function _invokeCcStream({ prompt, sessionId, liveState, toolUses, model, effort, maxTurns, engineConfig, systemPrompt = CC_STATIC_SYSTEM_PROMPT, tabId }) {
-    if (engineConfig && engineConfig.ccUseWorkerPool) {
+    if (shared.resolveCcUseWorkerPool(engineConfig)) {
       return _invokeCcStreamViaPool({ prompt, liveState, model, effort, engineConfig, systemPrompt, tabId });
     }
     const { callLLMStreaming } = require('./engine/llm');

package/engine/copilot-models.json

@@ -1,5 +1,5 @@
 {
   "runtime": "copilot",
   "models": null,
-  "cachedAt": "2026-05-13T23:13:36.239Z"
+  "cachedAt": "2026-05-14T02:03:25.197Z"
 }

package/engine/shared.js

@@ -1213,6 +1213,27 @@ function resolveCcCli(engine) {
   return ENGINE_DEFAULTS.defaultCli;
 }
 
+/**
+ * Resolve whether the Command Center / doc-chat path should route through the
+ * persistent ACP worker pool. Priority:
+ *   1. `engine.ccUseWorkerPool` explicit true/false — operator override always wins
+ *   2. Runtime-aware default: ON when CC runtime resolves to `copilot`
+ *      (Copilot's cold-spawn is 18-21s on Windows — pool turns subsequent turns
+ *      from 47-140s back into a few seconds). Claude's cold-spawn is much
+ *      cheaper and the ACP pool wasn't designed for it, so it stays OFF there.
+ *   3. ENGINE_DEFAULTS.ccUseWorkerPool — final fallback
+ *
+ * Strict boolean check on the override so a literal `false` opts out even on
+ * Copilot, matching `_isMeaningful` semantics for boolean flags.
+ */
+function resolveCcUseWorkerPool(engine) {
+  if (engine && (engine.ccUseWorkerPool === true || engine.ccUseWorkerPool === false)) {
+    return engine.ccUseWorkerPool;
+  }
+  if (resolveCcCli(engine) === 'copilot') return true;
+  return !!ENGINE_DEFAULTS.ccUseWorkerPool;
+}
+
 /**
  * Resolve the model for a per-agent spawn. Priority:
  *   1. `agent.model`            — per-agent override
@@ -3698,7 +3719,7 @@ module.exports = {
   KB_CATEGORIES,
   classifyInboxItem,
   ENGINE_DEFAULTS,
-  resolveAgentCli, resolveCcCli, resolveAgentModel, resolveCcModel,
+  resolveAgentCli, resolveCcCli, resolveCcUseWorkerPool, resolveAgentModel, resolveCcModel,
   resolveAgentMaxBudget, resolveAgentBareMode,
   applyLegacyCcModelMigration, _resetLegacyCcModelMigrationFlag,
   runtimeConfigWarnings,

package/engine.js

@@ -606,6 +606,111 @@ async function pruneStaleWorktreeForBranch(rootDir, branchName, gitOpts) {
   return removed;
 }
 
+// ─── assertCleanSharedWorktree (#2439) ──────────────────────────────────────
+// Engine-side preflight that prevents shared-branch dispatches from spawning
+// into a dirty worktree. Without this, the shared-branch playbook's "git status
+// + bail out" guard fires AFTER dispatch — converting an orchestration hygiene
+// problem into a fake implementation failure that also cascades to dependent
+// work items.
+//
+// Behavior:
+//   1. Run `git status --porcelain` in the target worktree.
+//   2. If clean → { clean: true, healed: false }.
+//   3. If dirty, decide whether self-heal is safe:
+//      - Block (preserve dirty tree for inspection) when ANOTHER active
+//        dispatch claims the same branch (ownership ambiguity).
+//      - Block when local commits exist that aren't on origin/<branch>
+//        (would lose unpushed work).
+//      - Otherwise reset --hard + clean -fd, then re-verify.
+//   4. Return { clean, healed, reason, dirtyFiles } so the caller can fail
+//      fast with a first-class DIRTY_WORKTREE reason and retry semantics.
+async function assertCleanSharedWorktree(rootDir, worktreePath, branchName, dispatchId, gitOpts = {}) {
+  const result = { clean: false, healed: false, reason: null, dirtyFiles: [] };
+  // 1. Status probe
+  let statusOut = '';
+  try {
+    const r = await execAsync('git status --porcelain', { ...gitOpts, cwd: worktreePath, timeout: 10000 });
+    statusOut = (r || '').toString().trim();
+  } catch (e) {
+    result.reason = 'status-failed';
+    result.error = e.message;
+    return result;
+  }
+  if (!statusOut) {
+    result.clean = true;
+    return result;
+  }
+  result.dirtyFiles = statusOut.split('\n').map(l => l.trim()).filter(Boolean);
+
+  // 2. Ownership check — another live dispatch on the same branch?
+  const sanitized = sanitizeBranch(branchName);
+  let otherActive = false;
+  try {
+    mutateDispatch((dp) => {
+      otherActive = (dp.active || []).some(d => {
+        if (d.id === dispatchId) return false;
+        const dBranch = d.meta?.branch ? sanitizeBranch(d.meta.branch) : '';
+        return dBranch === sanitized;
+      });
+      return dp;
+    });
+  } catch (e) {
+    log('warn', `assertCleanSharedWorktree: dispatch read failed (${e.message}) — assuming contended`);
+    otherActive = true;
+  }
+  if (otherActive) {
+    result.reason = 'other-dispatch-active';
+    return result;
+  }
+
+  // 3. Unpushed-commit check — refuse to clean when local work would be lost.
+  //    `git log @{u}..HEAD --oneline` returns non-empty when there are commits
+  //    ahead of the upstream. If there is no upstream at all, treat as unsafe
+  //    to clean (we can't prove the local commits exist on origin).
+  let hasUnpushed = false;
+  try {
+    const r = await execAsync('git log @{u}..HEAD --oneline', { ...gitOpts, cwd: worktreePath, timeout: 10000 });
+    hasUnpushed = (r || '').toString().trim().length > 0;
+  } catch (e) {
+    // No upstream configured (e.g., branch never pushed) — be conservative.
+    hasUnpushed = true;
+  }
+  if (hasUnpushed) {
+    result.reason = 'has-unpushed-commits';
+    return result;
+  }
+
+  // 4. Safe to self-heal: reset + clean
+  try {
+    await execAsync('git reset --hard HEAD', { ...gitOpts, cwd: worktreePath, timeout: 30000 });
+    await execAsync('git clean -fd', { ...gitOpts, cwd: worktreePath, timeout: 30000 });
+  } catch (e) {
+    result.reason = 'clean-failed';
+    result.error = e.message;
+    return result;
+  }
+
+  // 5. Re-verify
+  try {
+    const r2 = await execAsync('git status --porcelain', { ...gitOpts, cwd: worktreePath, timeout: 10000 });
+    const after = (r2 || '').toString().trim();
+    if (after) {
+      result.reason = 'dirty-after-clean';
+      result.dirtyFiles = after.split('\n').map(l => l.trim()).filter(Boolean);
+      return result;
+    }
+  } catch (e) {
+    result.reason = 'recheck-failed';
+    result.error = e.message;
+    return result;
+  }
+
+  log('info', `assertCleanSharedWorktree: auto-healed dirty shared-branch worktree ${worktreePath} on ${branchName} (${result.dirtyFiles.length} dirty files reset)`);
+  result.clean = true;
+  result.healed = true;
+  return result;
+}
+
 async function recoverPartialWorktree(rootDir, worktreePath, branchName, gitOpts) {
   if (!branchName) return false;
   const existingWt = await findExistingWorktree(rootDir, branchName);
@@ -856,6 +961,31 @@ async function spawnAgent(dispatchItem, config) {
       }
     }
 
+    // Shared-branch preflight (#2439): refuse to dispatch into a dirty shared
+    // worktree. Auto-heals when safe (no other dispatch claims the branch and
+    // no unpushed commits); blocks dispatch with a retryable DIRTY_WORKTREE
+    // failure otherwise. Without this, the playbook's `git status + bail` guard
+    // fires AFTER spawn — converting orchestration hygiene into fake
+    // implementation failures and cascading dependent items.
+    if (worktreePath && fs.existsSync(worktreePath) && meta?.branchStrategy === 'shared-branch' && branchName) {
+      const cleanResult = await assertCleanSharedWorktree(rootDir, worktreePath, branchName, id, _gitOpts);
+      if (!cleanResult.clean) {
+        const previewFiles = (cleanResult.dirtyFiles || []).slice(0, 5).join(', ');
+        const reasonMsg = `DIRTY_WORKTREE: shared branch ${branchName} worktree at ${worktreePath} is dirty (${cleanResult.reason}); ${cleanResult.dirtyFiles?.length || 0} file(s)${previewFiles ? ': ' + previewFiles : ''}`;
+        log('error', reasonMsg);
+        _cleanupPromptFiles();
+        completeDispatch(
+          id,
+          DISPATCH_RESULT.ERROR,
+          reasonMsg.slice(0, 500),
+          `Engine preflight refused to spawn into a dirty shared-branch worktree (#2439). Reason: ${cleanResult.reason}.`,
+          { agentRetryable: true },
+        );
+        cleanupTempAgent(agentId);
+        return null;
+      }
+    }
+
     // Merge dependency PR branches into worktree (applies to both reused and new worktrees)
     if (worktreePath && fs.existsSync(worktreePath)) {
       cwd = worktreePath;
@@ -5121,7 +5251,7 @@ module.exports = {
   // Shared helpers (used by lifecycle.js and tests)
   reconcileItemsWithPrs, detectDependencyCycles,
   parseConflictFiles, pruneAncestorDeps, preflightMergeSimulation, // exported for testing
-  isWorktreeRetryableError, removeStaleIndexLock, syncReusedWorktree, // exported for testing
+  isWorktreeRetryableError, removeStaleIndexLock, syncReusedWorktree, assertCleanSharedWorktree, // exported for testing
   pruneStaleWorktreeForBranch, // exported for testing
   _maxTurnsForType, buildProjectContext, normalizeAc, _buildAgentSpawnFlags, _classifyAgentFailure, // exported for testing
   promoteCheckpointSteeringForClose, // exported for testing

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@yemi33/minions",
-  "version": "0.1.1923",
+  "version": "0.1.1925",
   "description": "Multi-agent AI dev team that runs from ~/.minions/ — five autonomous agents share a single engine, dashboard, and knowledge base",
   "bin": {
     "minions": "bin/minions.js"