@yemi33/minions 0.1.1947 → 0.1.1948

package/engine/ado.js

@@ -690,6 +690,14 @@ async function pollPrStatus(config) {
     if (applyAdoPrMetadata(pr, prData)) updated = true;
 
     let newStatus = pr.status;
+    // W-mp5trwh60008386d: ADO does NOT need the `prAbandonConfirmCount` confirmation logic
+    // that engine/github.js uses. ADO only flips a PR to `abandoned` when a *successful*
+    // adoFetch returns `prData.status === 'abandoned'` (below). On 404/auth failure adoFetch
+    // throws, the throw propagates to forEachActivePr's `Promise.allSettled`, and the PR
+    // record is left untouched — equivalent to "infinite confirmations required". The shared
+    // ENGINE_DEFAULTS.prAbandonConfirmCount constant lives in engine/shared.js so a future
+    // ADO change can adopt the same semantics if the failure model ever maps 404 to
+    // abandonment directly. See engine/github.js pollPrStatus for the GitHub implementation.
     if (prData.status === 'completed') newStatus = PR_STATUS.MERGED;
     else if (prData.status === 'abandoned') newStatus = PR_STATUS.ABANDONED;
     else if (prData.status === 'active') newStatus = PR_STATUS.ACTIVE;

package/engine/copilot-models.json

@@ -1,5 +1,5 @@
 {
   "runtime": "copilot",
   "models": null,
-  "cachedAt": "2026-05-14T22:37:10.295Z"
+  "cachedAt": "2026-05-14T22:39:03.456Z"
 }

package/engine/github.js

@@ -5,7 +5,7 @@
  */
 
 const shared = require('./shared');
-const { exec, execAsync, getProjects, projectPrPath, projectWorkItemsPath, safeJson, safeJsonArr, safeWrite, mutateJsonFileLocked, MINIONS_DIR, getPrLinks, backfillPrPrdItems, log, ts, dateStamp, PR_STATUS, PR_POLLABLE_STATUSES, createThrottleTracker, getProjectOrg } = shared;
+const { exec, execAsync, getProjects, projectPrPath, projectWorkItemsPath, safeJson, safeJsonArr, safeWrite, mutateJsonFileLocked, MINIONS_DIR, getPrLinks, backfillPrPrdItems, log, ts, dateStamp, PR_STATUS, PR_POLLABLE_STATUSES, ENGINE_DEFAULTS, createThrottleTracker, getProjectOrg } = shared;
 const { getPrs } = require('./queries');
 const { MINIONS_COMMENT_MARKER_RE } = require('./gh-comment');
 const path = require('path');
@@ -21,6 +21,19 @@ function engine() {
 let _dispatch = null;
 function dispatchModule() { if (!_dispatch) _dispatch = require('./dispatch'); return _dispatch; }
 
+// W-mp5trwh60008386d: test seam so unit tests can mock `gh api` shell-outs
+// without spawning the real CLI. Production code goes through the real
+// `execAsync` from shared; tests call `_setExecAsyncForTest(fn)` to swap in
+// a stub. Pass `null` to restore. Mirrors the `_setAdoTokenForTest` pattern
+// in engine/ado.js.
+let _execAsyncOverride = null;
+function _runExec(cmd, opts) {
+  return (_execAsyncOverride || execAsync)(cmd, opts);
+}
+function _setExecAsyncForTest(fn) {
+  _execAsyncOverride = (typeof fn === 'function') ? fn : null;
+}
+
 // ─── Constants ──────────────────────────────────────────────────────────────
 
 // 10 MB — prevents maxBuffer exceeded errors on repos with many open PRs.
@@ -144,7 +157,7 @@ let _cachedViewerLogin = null;
 async function _resolveViewerLogin() {
   if (_cachedViewerLogin) return _cachedViewerLogin;
   try {
-    const result = await execAsync('gh api user', { timeout: 10000, encoding: 'utf-8', maxBuffer: GH_MAX_BUFFER });
+    const result = await _runExec('gh api user', { timeout: 10000, encoding: 'utf-8', maxBuffer: GH_MAX_BUFFER });
     const parsed = JSON.parse(String(result || ''));
     const login = parsed?.login ? String(parsed.login).toLowerCase() : null;
     if (login) _cachedViewerLogin = login;
@@ -241,7 +254,7 @@ async function ghApi(endpoint, slug, opts = {}) {
   try {
     const paginateFlag = opts.paginate ? ' --paginate' : '';
     const cmd = `gh api${paginateFlag} "repos/${slug}${endpoint}"`;
-    const result = await execAsync(cmd, { timeout: opts.timeout || 30000, encoding: 'utf-8', maxBuffer: GH_MAX_BUFFER });
+    const result = await _runExec(cmd, { timeout: opts.timeout || 30000, encoding: 'utf-8', maxBuffer: GH_MAX_BUFFER });
     const parsed = JSON.parse(result);
     _ghThrottle.recordSuccess();
     return parsed;
@@ -310,7 +323,7 @@ async function fetchGhBuildErrorLog(slug, failedRuns) {
       // Always fetch job log — annotations alone often lack test failure details
       try {
         const cmd = `gh api "repos/${slug}/actions/jobs/${run.id}/logs" 2>&1`;
-        const result = await execAsync(cmd, { timeout: 15000, encoding: 'utf-8', maxBuffer: GH_MAX_BUFFER });
+        const result = await _runExec(cmd, { timeout: 15000, encoding: 'utf-8', maxBuffer: GH_MAX_BUFFER });
         if (result && !result.includes('Not Found')) {
           logParts.push(`--- ${run.name || 'Check'} (log) ---\n${result}`);
         }
@@ -351,9 +364,18 @@ async function forEachActiveGhPr(config, callback) {
       && shared.isPrCompatibleWithProject(project, pr, pr.url || ''));
     if (activePrs.length === 0) continue;
 
-    // Probe repo accessibility before iterating PRs — avoids N warnings per inaccessible repo
+    // Probe repo accessibility before iterating PRs — avoids N warnings per inaccessible repo.
+    // W-mp5trwh60008386d: ghApi returns the GH_NOT_FOUND sentinel on 404 (a frozen object,
+    // *not* null). The pre-fix gate only matched `null`, so a 404 on the base repo (caused by
+    // a multi-account `gh auth` switch, network blip, or token rotation) fell through and every
+    // per-PR call below 404'd, permanently flipping all active PRs to `abandoned`. We now treat
+    // both null and GH_NOT_FOUND as "skip the project for this tick" and explicitly do NOT
+    // increment per-PR `_consecutive404s` counters since no per-PR call was made.
     const probe = await ghApi('', slug);
-    if (probe === null) {
+    if (probe === null || probe === GH_NOT_FOUND) {
+      if (probe === GH_NOT_FOUND) {
+        log('warn', `GitHub repo probe for ${slug} returned 404 — skipping all per-PR polls for this project this tick (avoids spurious abandonments). Per-PR 404 counters NOT incremented.`);
+      }
       recordSlugFailure(slug);
       continue;
     }
@@ -388,6 +410,13 @@ async function forEachActiveGhPr(config, callback) {
             if (currentPrs[idx].reviewStatus === 'approved' && after.reviewStatus !== 'approved') {
               after.reviewStatus = 'approved';
             }
+            // W-mp5trwh60008386d: never downgrade `status: merged` — terminal state. A stale
+            // 404 reaching `prAbandonConfirmCount` could otherwise overwrite a concurrent
+            // success/merge poll. Keeps the central pull-requests.json status invariants
+            // intact even under multi-writer races.
+            if (currentPrs[idx].status === PR_STATUS.MERGED && after.status !== PR_STATUS.MERGED) {
+              after.status = PR_STATUS.MERGED;
+            }
             shared.applyPrFieldDelta(currentPrs[idx], before, after);
           }
         }
@@ -410,13 +439,40 @@ async function forEachActiveGhPr(config, callback) {
   const centralPath = path.join(MINIONS_DIR, 'pull-requests.json');
   const centralPrs = safeJsonArr(centralPath);
   const activeCentral = centralPrs.filter(pr => PR_POLLABLE_STATUSES.has(pr.status) && pr.url);
+
+  // W-mp5trwh60008386d: probe each unique slug in the central list ONCE before iterating PRs.
+  // Without this gate, central PRs would inherit the same per-PR 404 trapdoor that project-local
+  // PRs had pre-fix — a multi-account `gh auth` switch or token rotation would let every
+  // central PR for an inaccessible slug accumulate `_consecutive404s` even though the failure
+  // is at the auth/repo layer, not the PR. Probe results live for this tick only (Map cleared
+  // each invocation).
+  const centralSlugProbes = new Map(); // slug → 'ok' | 'fail'
+  for (const pr of activeCentral) {
+    const ghMatch = pr.url.match(/github\.com\/([^/]+\/[^/]+)\/pull\/(\d+)/);
+    if (!ghMatch) continue;
+    const slug = ghMatch[1];
+    if (centralSlugProbes.has(slug)) continue;
+    if (isSlugInBackoff(slug)) { centralSlugProbes.set(slug, 'fail'); continue; }
+    const probe = await ghApi('', slug);
+    if (probe === null || probe === GH_NOT_FOUND) {
+      if (probe === GH_NOT_FOUND) {
+        log('warn', `GitHub repo probe for ${slug} returned 404 (central PR poll) — skipping all central PRs for this slug this tick. Per-PR 404 counters NOT incremented.`);
+      }
+      recordSlugFailure(slug);
+      centralSlugProbes.set(slug, 'fail');
+    } else {
+      resetSlugBackoff(slug);
+      centralSlugProbes.set(slug, 'ok');
+    }
+  }
+
   let centralUpdated = 0;
   const updatedCentralRecords = [];
   for (const pr of activeCentral) {
     const ghMatch = pr.url.match(/github\.com\/([^/]+\/[^/]+)\/pull\/(\d+)/);
     if (!ghMatch) continue;
     const slug = ghMatch[1];
-    if (isSlugInBackoff(slug)) continue;
+    if (centralSlugProbes.get(slug) !== 'ok') continue; // probe failed → skip per-PR call
     const prNum = ghMatch[2];
     try {
       const before = shared.snapshotPrRecord(pr);
@@ -452,7 +508,13 @@ async function forEachActiveGhPr(config, callback) {
       // Only merge back central PRs that the callback actually modified
       for (const { before, after } of updatedCentralRecords) {
         const idx = currentPrs.findIndex(p => p.id === after.id);
-        if (idx >= 0) shared.applyPrFieldDelta(currentPrs[idx], before, after);
+        if (idx >= 0) {
+          // W-mp5trwh60008386d: same merged-status guard as project-local PRs.
+          if (currentPrs[idx].status === PR_STATUS.MERGED && after.status !== PR_STATUS.MERGED) {
+            after.status = PR_STATUS.MERGED;
+          }
+          shared.applyPrFieldDelta(currentPrs[idx], before, after);
+        }
       }
       return currentPrs;
     }, { defaultValue: [] });
@@ -465,21 +527,49 @@ async function forEachActiveGhPr(config, callback) {
 // ─── PR Status Polling ──────────────────────────────────────────────────────
 
 async function pollPrStatus(config) {
+  // W-mp5trwh60008386d: per-PR 404 must be confirmed N times before flipping to abandoned.
+  // Single 404s are routinely transient (multi-account `gh auth` race, network blip, token
+  // rotation). Counter is per-PR (`pr._consecutive404s`) and reset on any successful response.
+  // Default N from ENGINE_DEFAULTS; opt-in override via config.engine.prAbandonConfirmCount.
+  const confirmCount = Math.max(1, Number(config?.engine?.prAbandonConfirmCount) || ENGINE_DEFAULTS.prAbandonConfirmCount);
+
   const totalUpdated = await forEachActiveGhPr(config, async (project, pr, prNum, slug) => {
     const prData = await ghApi(`/pulls/${prNum}`, slug);
     if (!prData) return false;
     if (prData === GH_NOT_FOUND) {
-      // PR no longer exists — mark abandoned so it stops being polled
-      if (pr.status !== PR_STATUS.ABANDONED) {
-        pr.status = PR_STATUS.ABANDONED;
-        log('info', `PR ${pr.id} returned 404 — marking abandoned`);
-        return true;
+      // Per-PR 404. Base-repo probe in forEachActiveGhPr already passed for this tick, so the
+      // 404 is specific to this PR — but we still require N consecutive confirmations across
+      // separate poll ticks before flipping. Worst-case delay for a genuinely deleted PR is
+      // N × prPollStatusEvery × tickInterval (~36 min at defaults), which is acceptable for an
+      // irreversible status change.
+      const next = (Number(pr._consecutive404s) || 0) + 1;
+      if (next >= confirmCount) {
+        if (pr.status !== PR_STATUS.ABANDONED) {
+          pr.status = PR_STATUS.ABANDONED;
+          delete pr._consecutive404s;
+          log('info', `PR ${pr.id} returned 404 ${next} consecutive polls — marking abandoned`);
+          return true;
+        }
+        // Already abandoned; clear the counter if it lingered.
+        if (pr._consecutive404s) {
+          delete pr._consecutive404s;
+          return true;
+        }
+        return false;
       }
-      return false;
+      pr._consecutive404s = next;
+      log('warn', `PR ${pr.id} returned 404 (${next}/${confirmCount}) — deferring abandonment until threshold`);
+      return true; // counter increment is a state change worth persisting
     }
 
     let updated = false;
 
+    // Successful response — clear any pending 404 confirmation streak.
+    if (pr._consecutive404s) {
+      delete pr._consecutive404s;
+      updated = true;
+    }
+
     const headBranch = prData.head?.ref ? String(prData.head.ref).trim() : '';
     if (headBranch && pr.branch !== headBranch) {
       pr.branch = headBranch;
@@ -742,7 +832,7 @@ async function pollPrStatus(config) {
       if (autoComplete) {
         try {
           const mergeMethod = ['squash', 'merge', 'rebase'].includes(config.engine?.prMergeMethod) ? config.engine.prMergeMethod : 'squash';
-          await execAsync(`gh pr merge ${prNum} --${mergeMethod} --repo ${slug} --delete-branch`, { timeout: 30000, encoding: 'utf-8', maxBuffer: GH_MAX_BUFFER });
+          await _runExec(`gh pr merge ${prNum} --${mergeMethod} --repo ${slug} --delete-branch`, { timeout: 30000, encoding: 'utf-8', maxBuffer: GH_MAX_BUFFER });
           pr._autoCompleted = true;
           log('info', `Auto-completed PR ${pr.id}: builds green + review approved → merged (${mergeMethod})`);
           updated = true;
@@ -1138,4 +1228,6 @@ module.exports = {
   _resolveViewerLogin, // exported for testing (W-mp3bp0ha000997ab-b backfill)
   _setCachedViewerLogin, // exported for testing (W-mp3bp0ha000997ab-b backfill)
   _backfillViewerDidAuthor, // exported for testing (W-mp3bp0ha000997ab-b backfill)
+  _setExecAsyncForTest, // W-mp5trwh60008386d: test seam to mock `gh api` shell-outs
+  GH_NOT_FOUND, // W-mp5trwh60008386d: exported so tests can assert sentinel propagation
 };

package/engine/shared.js

@@ -1093,6 +1093,14 @@ const ENGINE_DEFAULTS = {
   ghPollEnabled: true, // poll GitHub PR status, comments, and reconciliation on each tick cycle
   prPollStatusEvery: 12,   // poll PR build/review/merge status every N ticks for both ADO and GitHub (~12 min at default interval)
   prPollCommentsEvery: 12, // poll PR human comments every N ticks for both ADO and GitHub (~12 min at default interval)
+  // W-mp5trwh60008386d: per-PR 404 must repeat across N consecutive successful base-repo probes
+  // before flipping a PR to `abandoned`. A single 404 on `repos/{slug}/pulls/{n}` can be a transient
+  // multi-account `gh auth` race, network blip, or token rotation — those used to permanently
+  // corrupt active PRs. Counter resets to 0 on any successful per-PR response. ADO doesn't have
+  // an analogous abandon-on-404 trapdoor (`adoFetch` throws on 404 → caught by Promise.allSettled
+  // → no flip), so the constant is GitHub-only today but lives in shared defaults so a future
+  // ADO change can adopt the same semantics.
+  prAbandonConfirmCount: 3,
   watchesIncludeBehindBy: false, // opt-in: when true, GitHub PR poll calls /compare/{base}...{head} once per pr per pollPrStatusEvery cadence to populate pr.behindBy (powers the `behind-master` watch predicate). Off by default to avoid the extra API call. ADO PRs always get null (no commit-graph walk yet).
   autoCompletePrs: false, // auto-merge PRs when builds green + review approved (opt-in)
   prMergeMethod: 'squash', // merge method: squash, merge, rebase

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@yemi33/minions",
-  "version": "0.1.1947",
+  "version": "0.1.1948",
   "description": "Multi-agent AI dev team that runs from ~/.minions/ — five autonomous agents share a single engine, dashboard, and knowledge base",
   "bin": {
     "minions": "bin/minions.js"