@yemi33/minions 0.1.1948 → 0.1.1950

package/engine/abandoned-pr-reconciliation.js

@@ -0,0 +1,143 @@
+/**
+ * engine/abandoned-pr-reconciliation.js — One-shot startup reconciliation pass
+ * for `abandoned` PRs. Pairs with W-mp5trwh60008386d's forward-looking 404
+ * hardening in engine/github.js: that fix prevents *future* false-flips, but
+ * does nothing for PRs already wrongly marked `abandoned` before it shipped
+ * (e.g. the 16 PRs hit by the 2026-05-14 gh-auth-flip incident).
+ *
+ * `pollPrStatus` only iterates PRs in `PR_POLLABLE_STATUSES = {active, linked}`
+ * (engine/shared.js), so once a PR is `abandoned` the regular poll loop never
+ * visits it again. This module is the explicit one-time re-probe.
+ *
+ * ## Why one-shot, not periodic?
+ *
+ * Periodic re-probing of terminal-status PRs has real costs:
+ *   - GitHub/ADO API quota burn on every restart (50+ PRs × 2 hosts).
+ *   - Race risk against late-arriving merge events (a PR closed 30s before
+ *     the pass would mis-classify based on stale local state).
+ *   - Boot latency that grows linearly with abandoned-PR count.
+ *
+ * The version-gated one-shot model gives us exactly what we need: re-probe
+ * once per release that bumps `ENGINE_DEFAULTS.abandonedReconciliationVersion`,
+ * then never again until the next bump. First boot after this lands cleans up
+ * the historical false-flips; subsequent boots are a single state.json read +
+ * version compare → no-op.
+ *
+ * ## Why a separate WI from W-mp5trwh60008386d?
+ *
+ * Forward-fix (don't false-flip new PRs) and retroactive-heal (un-flip already
+ * damaged PRs) are different concerns with different risk profiles. The 404
+ * hardening fix is per-tick and ships independently; this reconciliation is
+ * boot-only and depends on the hardening fix existing in master so we don't
+ * fork the abandonment-confirmation logic.
+ *
+ * ## Boot wiring
+ *
+ * Called from engine/cli.js between the recovery sweep and the initial tick.
+ * Errors here must NOT block boot — the catch in cli.js logs and continues.
+ */
+
+const path = require('path');
+const shared = require('./shared');
+
+const { ENGINE_DEFAULTS, log, mutateEngineState, readEngineState } = shared;
+
+/**
+ * Run the version-gated startup reconciliation pass. Idempotent across reruns
+ * at the same code version: state.json gates re-execution.
+ *
+ * @param {object} config — engine config (used to enumerate projects)
+ * @param {object} [options]
+ * @param {boolean} [options.skipVersionCheck] — bypass the version gate (tests only)
+ * @param {object}  [options.githubModule] — injectable for tests (default: require './github')
+ * @param {object}  [options.adoModule]    — injectable for tests (default: require './ado')
+ * @returns {Promise<{ skipped: boolean, totals: { flipped, confirmedDeleted, skipped, errored } }>}
+ */
+async function runStartupReconciliation(config, options = {}) {
+  const targetVersion = Number(ENGINE_DEFAULTS.abandonedReconciliationVersion) || 0;
+  const skipVersionCheck = options.skipVersionCheck === true;
+
+  if (!skipVersionCheck) {
+    const state = readEngineState();
+    const lastVersion = Number(state.lastAbandonedReconciliationVersion) || 0;
+    if (lastVersion >= targetVersion) {
+      // Already reconciled at this version — no-op. Don't even log; this runs
+      // every boot and the silent path is the common one.
+      return {
+        skipped: true,
+        totals: { flipped: 0, confirmedDeleted: 0, skipped: 0, errored: 0 },
+      };
+    }
+  }
+
+  const github = options.githubModule || require('./github');
+  const ado = options.adoModule || require('./ado');
+
+  // Pre-count abandoned PRs (only those without the confirmed-404 marker) so
+  // the start-of-pass log line is meaningful. Wrapped in try/catch — the
+  // pre-count is observability, not correctness.
+  let preCount = 0;
+  let projectCount = 0;
+  try {
+    const projects = shared.getProjects(config);
+    projectCount = projects.length;
+    for (const p of projects) {
+      const prs = shared.safeJsonArr(shared.projectPrPath(p));
+      preCount += prs.filter(pr =>
+        pr.status === shared.PR_STATUS.ABANDONED && !pr._reconciliation404Confirmed
+      ).length;
+    }
+  } catch { /* observability only */ }
+
+  log('info', `Abandoned PR reconciliation pass: scanning ${preCount} PR${preCount === 1 ? '' : 's'} across ${projectCount} project${projectCount === 1 ? '' : 's'} (version ${targetVersion})`);
+
+  // Run both reconcilers. We do NOT use Promise.allSettled here because
+  // adoFetch and ghApi share the global rate-limit counters — running them
+  // serially keeps log ordering deterministic and avoids interleaved
+  // throttle messages.
+  let ghTotals = { flipped: 0, confirmedDeleted: 0, skipped: 0, errored: 0 };
+  let adoTotals = { flipped: 0, confirmedDeleted: 0, skipped: 0, errored: 0 };
+  try {
+    ghTotals = await github.reconcileAbandonedPrs(config);
+  } catch (err) {
+    log('warn', `Abandoned PR reconciliation: GitHub pass threw: ${err.message}`);
+  }
+  try {
+    adoTotals = await ado.reconcileAbandonedPrs(config);
+  } catch (err) {
+    log('warn', `Abandoned PR reconciliation: ADO pass threw: ${err.message}`);
+  }
+
+  const totals = {
+    flipped: ghTotals.flipped + adoTotals.flipped,
+    confirmedDeleted: ghTotals.confirmedDeleted + adoTotals.confirmedDeleted,
+    skipped: ghTotals.skipped + adoTotals.skipped,
+    errored: ghTotals.errored + adoTotals.errored,
+  };
+  log('info', `Abandoned PR reconciliation: flipped ${totals.flipped}, confirmed-deleted ${totals.confirmedDeleted}, skipped ${totals.skipped}, errored ${totals.errored}`);
+
+  if (!skipVersionCheck) {
+    // Persist the version marker even when the pass found nothing (preCount=0)
+    // — the marker means "we ran reconciliation at this code version", not
+    // "we found something to fix". Without the write, every restart would
+    // re-run the no-op pass forever.
+    try {
+      mutateEngineState((state) => {
+        state.lastAbandonedReconciliationVersion = targetVersion;
+        state.lastAbandonedReconciliationAt = new Date().toISOString();
+        return state;
+      });
+    } catch (err) {
+      // State.json write failure is unfortunate but non-fatal: next boot will
+      // re-run the pass, which is idempotent (already-flipped PRs aren't
+      // abandoned anymore, confirmed-404s carry the marker). Log and continue.
+      log('warn', `Abandoned PR reconciliation: failed to persist version marker: ${err.message}`);
+    }
+  }
+
+  return { skipped: false, totals };
+}
+
+module.exports = {
+  runStartupReconciliation,
+};

package/engine/ado.js

@@ -1602,12 +1602,169 @@ function _setAdoTokenForTest(token) {
   }
 }
 
+// ─── One-Shot Startup Reconciliation for Abandoned PRs (W-mp60tw0u000j3931) ───
+//
+// ADO equivalent of engine/github.js reconcileAbandonedPrs. Same shape:
+// per-(org, project, repo) base probe, cached for the duration of the pass;
+// then per-PR re-probe via adoFetch. ADO PRs use `prData.status` directly
+// ('active' | 'abandoned' | 'completed'), which we map back to PR_STATUS.
+//
+// Note: ADO's adoFetch throws on failure rather than returning a sentinel,
+// so the per-PR catch needs to distinguish 404 (PR truly deleted) from other
+// errors (network, throttle). isAdoAuthError covers 401/403 — for 404 we
+// inspect the error message directly.
+async function reconcileAbandonedPrs(config) {
+  let flipped = 0, confirmedDeleted = 0, skipped = 0, errored = 0;
+
+  const projects = shared.getProjects(config).filter(p => !isGitHubProject(p));
+  if (projects.length === 0) return { flipped, confirmedDeleted, skipped, errored };
+
+  const token = await getAdoToken();
+  if (!token) {
+    log('warn', 'Abandoned PR reconciliation: no ADO token — skipping ADO projects');
+    // Count abandoned PRs across ADO projects as skipped so the orchestrator
+    // log line is honest about what we left behind.
+    let pending = 0;
+    for (const project of projects) {
+      const prs = shared.safeJsonArr(shared.projectPrPath(project));
+      pending += prs.filter(pr =>
+        pr.status === shared.PR_STATUS.ABANDONED && !pr._reconciliation404Confirmed
+      ).length;
+    }
+    return { flipped, confirmedDeleted, skipped: pending, errored };
+  }
+
+  // Cache base-repo probe results for THIS pass. Key by (org, project, repoId)
+  // since two minions projects can technically point at the same ADO repo.
+  const probeCache = new Map();
+
+  for (const project of projects) {
+    repairAdoProjectConfig(project, 'abandoned PR reconciliation');
+    if (!project.adoOrg || !project.adoProject) continue;
+    const adoRepositoryId = getAdoRepositoryId(project);
+    if (!adoRepositoryId) {
+      logMissingAdoRepository(project, 'abandoned PR reconciliation');
+      continue;
+    }
+
+    const prPath = shared.projectPrPath(project);
+    const prs = shared.safeJsonArr(prPath);
+    const abandonedPrs = prs.filter(pr =>
+      pr.status === shared.PR_STATUS.ABANDONED
+      && !pr._reconciliation404Confirmed
+      && shared.isPrCompatibleWithProject(project, pr, pr.url || '')
+    );
+    if (abandonedPrs.length === 0) continue;
+
+    const orgBase = getAdoOrgBase(project);
+    const probeKey = `${project.adoOrg}/${project.adoProject}/${adoRepositoryId}`;
+    let probeResult = probeCache.get(probeKey);
+    if (probeResult === undefined) {
+      try {
+        const repoUrl = `${orgBase}/${project.adoProject}/_apis/git/repositories/${encodeURIComponent(adoRepositoryId)}?api-version=7.1`;
+        const repoData = await adoFetch(repoUrl, token);
+        probeResult = repoData ? 'ok' : 'fail';
+      } catch (err) {
+        log('warn', `Abandoned PR reconciliation: ADO base-repo probe for ${probeKey} threw: ${err.message}`);
+        probeResult = 'fail';
+      }
+      probeCache.set(probeKey, probeResult);
+    }
+    if (probeResult === 'fail') {
+      log('warn', `Abandoned PR reconciliation: skipping ${probeKey} (${abandonedPrs.length} PR${abandonedPrs.length === 1 ? '' : 's'}) — base-repo probe failed, retry next startup`);
+      skipped += abandonedPrs.length;
+      continue;
+    }
+
+    const updates = []; // { prNumber, action, newStatus?, mergedAt? }
+    for (const pr of abandonedPrs) {
+      const prNum = shared.getPrNumber(pr);
+      if (!prNum) continue;
+      try {
+        const encodedRepoId = encodeURIComponent(adoRepositoryId);
+        const prUrl = `${orgBase}/${project.adoProject}/_apis/git/repositories/${encodedRepoId}/pullrequests/${prNum}?api-version=7.1`;
+        const prData = await adoFetch(prUrl, token);
+        if (!prData) {
+          log('warn', `Skipped ADO PR #${prNum} (${probeKey}): empty response, retry next startup`);
+          errored++;
+          continue;
+        }
+        let newStatus, reason;
+        if (prData.status === 'completed') {
+          newStatus = shared.PR_STATUS.MERGED;
+          reason = 'was merged';
+        } else if (prData.status === 'active') {
+          newStatus = shared.PR_STATUS.ACTIVE;
+          reason = 'was active';
+        } else if (prData.status === 'abandoned') {
+          // Genuinely abandoned on ADO too — mark so we don't re-probe.
+          updates.push({ prNumber: prNum, action: 'confirm404' });
+          confirmedDeleted++;
+          log('info', `Confirmed ADO PR #${prNum} (${probeKey}): truly abandoned, leaving abandoned`);
+          continue;
+        } else {
+          log('warn', `Skipped ADO PR #${prNum} (${probeKey}): unknown status ${JSON.stringify(prData.status)}`);
+          errored++;
+          continue;
+        }
+        updates.push({
+          prNumber: prNum,
+          action: 'flip',
+          newStatus,
+          mergedAt: prData.closedDate || null,
+        });
+        flipped++;
+        log('info', `Reconciled ADO PR #${prNum} (${probeKey}): abandoned → ${newStatus} (${reason})`);
+      } catch (err) {
+        const msg = String(err?.message || '');
+        if (/\b404\b|Not Found/i.test(msg)) {
+          // 404 on a specific PR with base-probe OK → genuinely deleted.
+          updates.push({ prNumber: prNum, action: 'confirm404' });
+          confirmedDeleted++;
+          log('info', `Confirmed ADO PR #${prNum} (${probeKey}): truly deleted (404), leaving abandoned`);
+        } else {
+          log('warn', `Abandoned PR reconciliation error on ADO PR #${prNum} (${probeKey}): ${msg}`);
+          errored++;
+        }
+      }
+    }
+
+    if (updates.length > 0) {
+      const reconciledAt = ts();
+      shared.mutatePullRequests(prPath, (currentPrs) => {
+        for (const upd of updates) {
+          const pr = currentPrs.find(p => shared.getPrNumber(p) === upd.prNumber);
+          if (!pr) continue;
+          // Defensive: never downgrade merged.
+          if (pr.status === shared.PR_STATUS.MERGED && upd.newStatus !== shared.PR_STATUS.MERGED) continue;
+          if (upd.action === 'flip') {
+            pr.status = upd.newStatus;
+            if (upd.mergedAt && !pr.mergedAt) pr.mergedAt = upd.mergedAt;
+            delete pr._consecutive404s;
+            delete pr._404Count;
+            delete pr._404FirstAt;
+            pr._reconciledAt = reconciledAt;
+            pr._reconciledFrom = 'startup-pass';
+          } else if (upd.action === 'confirm404') {
+            pr._reconciledAt = reconciledAt;
+            pr._reconciliation404Confirmed = true;
+          }
+        }
+        return currentPrs;
+      });
+    }
+  }
+
+  return { flipped, confirmedDeleted, skipped, errored };
+}
+
 module.exports = {
   getAdoToken,
   adoFetch,
   pollPrStatus,
   pollPrHumanComments,
   reconcilePrs,
+  reconcileAbandonedPrs, // W-mp60tw0u000j3931 — one-shot startup re-probe of abandoned PRs
   checkLiveReviewStatus,
   checkLiveBuildAndConflict,
   needsAdoPollRetry,

package/engine/cli.js

@@ -709,6 +709,32 @@ const commands = {
       }
     })();
 
+    // W-mp60tw0u000j3931: One-shot startup reconciliation for `abandoned` PRs.
+    // Pairs with W-mp5trwh60008386d's forward-looking 404 hardening — that
+    // fix prevents future false-flips, this pass un-flips PRs that were
+    // already wrongly marked `abandoned` before the hardening shipped (e.g.
+    // the 16 PRs hit by the 2026-05-14 gh-auth-flip incident). Version-gated
+    // via engine/state.json so it runs once per ENGINE_DEFAULTS.abandonedReconciliationVersion
+    // bump and is otherwise a no-op. Fire-and-forget — boot must not block on
+    // network calls; the pass operates on `abandoned` PRs while pollPrStatus
+    // operates on `active`/`linked`, so there is no per-record race.
+    (function startupReconcileAbandonedPrs() {
+      try {
+        const reconciler = require('./abandoned-pr-reconciliation');
+        Promise.resolve(reconciler.runStartupReconciliation(config))
+          .then(result => {
+            if (!result.skipped && result.totals.flipped > 0) {
+              console.log(`  Reconciled ${result.totals.flipped} abandoned PR(s) → active/merged/closed`);
+            }
+          })
+          .catch(err => {
+            e.log('warn', `Abandoned PR reconciliation failed at boot: ${err.message}`);
+          });
+      } catch (err) {
+        e.log('warn', `Abandoned PR reconciliation failed to start at boot: ${err.message}`);
+      }
+    })();
+
     // Initial tick
     e.tick();
 

package/engine/copilot-models.json

@@ -1,5 +1,5 @@
 {
   "runtime": "copilot",
   "models": null,
-  "cachedAt": "2026-05-14T22:39:03.456Z"
+  "cachedAt": "2026-05-15T00:20:53.688Z"
 }

package/engine/github.js

@@ -5,7 +5,7 @@
  */
 
 const shared = require('./shared');
-const { exec, execAsync, getProjects, projectPrPath, projectWorkItemsPath, safeJson, safeJsonArr, safeWrite, mutateJsonFileLocked, MINIONS_DIR, getPrLinks, backfillPrPrdItems, log, ts, dateStamp, PR_STATUS, PR_POLLABLE_STATUSES, ENGINE_DEFAULTS, createThrottleTracker, getProjectOrg } = shared;
+const { exec, execAsync, getProjects, projectPrPath, projectWorkItemsPath, safeJson, safeJsonArr, safeWrite, mutateJsonFileLocked, mutatePullRequests, MINIONS_DIR, getPrLinks, backfillPrPrdItems, log, ts, dateStamp, PR_STATUS, PR_POLLABLE_STATUSES, ENGINE_DEFAULTS, createThrottleTracker, getProjectOrg } = shared;
 const { getPrs } = require('./queries');
 const { MINIONS_COMMENT_MARKER_RE } = require('./gh-comment');
 const path = require('path');
@@ -1201,10 +1201,159 @@ async function checkLiveBuildAndConflict(pr, project) {
   }
 }
 
+// ─── One-Shot Startup Reconciliation for Abandoned PRs (W-mp60tw0u000j3931) ───
+//
+// Pairs with the W-mp5trwh60008386d 404-hardening fix in pollPrStatus.
+// pollPrStatus only iterates PR_POLLABLE_STATUSES = {active, linked} — once a
+// PR has status: 'abandoned' it is terminal for the regular poll loop. That
+// behavior is correct (no per-tick re-probing of dead PRs), but it leaves any
+// historical false-flips (e.g. the 16 PRs marked abandoned by the 2026-05-14
+// gh-auth-flip incident) permanently stuck unless something explicitly
+// re-probes the abandoned set.
+//
+// This function is the explicit re-probe. Same base-repo probe gate as
+// pollPrStatus (cached per slug for the duration of the pass), then a single
+// `repos/{slug}/pulls/{n}` per abandoned PR. Open → active, merged → merged,
+// closed (not merged) → closed, confirmed-404 → leave abandoned + mark
+// `_reconciliation404Confirmed: true` so we don't re-probe deleted PRs on
+// every future restart.
+//
+// Caller: engine/abandoned-pr-reconciliation.js (version-gated).
+async function reconcileAbandonedPrs(config) {
+  const projects = shared.getProjects(config).filter(isGitHub);
+  let flipped = 0, confirmedDeleted = 0, skipped = 0, errored = 0;
+  // Cache base-repo probe results for the duration of THIS pass — multiple
+  // projects can share the same slug (rare) and multiple PRs definitely share
+  // it. Cleared when the function returns.
+  const slugProbeCache = new Map(); // slug → 'ok' | 'fail'
+
+  for (const project of projects) {
+    const slug = getRepoSlug(project);
+    if (!slug) continue;
+
+    const prPath = projectPrPath(project);
+    const prs = safeJsonArr(prPath);
+    // Filter: only abandoned PRs that don't already have the confirmed-404
+    // marker from a previous reconciliation pass. Marker means "we already
+    // verified this PR is genuinely deleted on the server" — no point
+    // re-probing it on every future pass.
+    const abandonedPrs = prs.filter(pr =>
+      pr.status === PR_STATUS.ABANDONED
+      && !pr._reconciliation404Confirmed
+      && shared.isPrCompatibleWithProject(project, pr, pr.url || '')
+    );
+    if (abandonedPrs.length === 0) continue;
+
+    // Probe base repo (cached). Failure → skip ALL of this slug's abandoned
+    // PRs and increment skipped counter — auth/access issue at boot, retry
+    // next restart.
+    let probeResult = slugProbeCache.get(slug);
+    if (probeResult === undefined) {
+      const probe = await ghApi('', slug);
+      probeResult = (probe === null || probe === GH_NOT_FOUND) ? 'fail' : 'ok';
+      slugProbeCache.set(slug, probeResult);
+    }
+    if (probeResult === 'fail') {
+      log('warn', `Abandoned PR reconciliation: skipping ${slug} (${abandonedPrs.length} PR${abandonedPrs.length === 1 ? '' : 's'}) — base-repo probe failed, retry next startup`);
+      skipped += abandonedPrs.length;
+      continue;
+    }
+
+    // Per-PR re-probe. Collect updates first, then apply via mutatePullRequests
+    // for atomic single-writer semantics. We match by prNumber on writeback
+    // (not id) because mutatePullRequests calls normalizePrRecords which can
+    // lowercase the id slug — prNumber is the stable key within a project's
+    // pull-requests.json.
+    const updates = []; // { prNumber, action, newStatus?, mergedAt? }
+    for (const pr of abandonedPrs) {
+      const prNum = shared.getPrNumber(pr);
+      if (!prNum) continue;
+
+      try {
+        const prData = await ghApi(`/pulls/${prNum}`, slug);
+        if (prData === GH_NOT_FOUND) {
+          // 404 with base-probe OK → genuinely deleted. Mark so we don't
+          // re-probe this PR on future startups.
+          updates.push({ prNumber: prNum, action: 'confirm404' });
+          confirmedDeleted++;
+          log('info', `Confirmed PR #${prNum} (${slug}): truly deleted, leaving abandoned`);
+        } else if (prData) {
+          // Successful response. Map GitHub state to minions status.
+          let newStatus, reason;
+          if (prData.merged) {
+            newStatus = PR_STATUS.MERGED;
+            reason = 'was merged';
+          } else if (prData.state === 'open') {
+            newStatus = PR_STATUS.ACTIVE;
+            reason = 'was open';
+          } else if (prData.state === 'closed') {
+            newStatus = PR_STATUS.CLOSED;
+            reason = 'was closed';
+          } else {
+            // Unknown state — be defensive, leave as-is and don't mark as
+            // confirmed-404 either (wait for clearer signal next pass).
+            log('warn', `Skipped PR #${prNum} (${slug}): unknown GitHub state ${JSON.stringify(prData.state)}`);
+            errored++;
+            continue;
+          }
+          updates.push({
+            prNumber: prNum,
+            action: 'flip',
+            newStatus,
+            mergedAt: prData.merged_at || null,
+          });
+          flipped++;
+          log('info', `Reconciled PR #${prNum} (${slug}): abandoned → ${newStatus} (${reason})`);
+        } else {
+          // null = network/rate-limit/other non-404 error. Don't mark
+          // _reconciliation404Confirmed — we want to retry next startup.
+          log('warn', `Skipped PR #${prNum} (${slug}): API error, retry next startup`);
+          errored++;
+        }
+      } catch (err) {
+        log('warn', `Abandoned PR reconciliation error on PR #${prNum} (${slug}): ${err.message}`);
+        errored++;
+      }
+    }
+
+    if (updates.length > 0) {
+      const reconciledAt = ts();
+      mutatePullRequests(prPath, (currentPrs) => {
+        for (const upd of updates) {
+          const pr = currentPrs.find(p => shared.getPrNumber(p) === upd.prNumber);
+          if (!pr) continue;
+          // Defensive: never downgrade a merged record. Should already be
+          // filtered by the abandoned-only scan above, but a concurrent writer
+          // could have flipped it between our read and this write.
+          if (pr.status === PR_STATUS.MERGED && upd.action !== 'flip') continue;
+          if (pr.status === PR_STATUS.MERGED && upd.newStatus !== PR_STATUS.MERGED) continue;
+          if (upd.action === 'flip') {
+            pr.status = upd.newStatus;
+            if (upd.mergedAt && !pr.mergedAt) pr.mergedAt = upd.mergedAt;
+            // Clear stale 404-counter state from the false-flip era.
+            delete pr._consecutive404s;
+            delete pr._404Count;
+            delete pr._404FirstAt;
+            pr._reconciledAt = reconciledAt;
+            pr._reconciledFrom = 'startup-pass';
+          } else if (upd.action === 'confirm404') {
+            pr._reconciledAt = reconciledAt;
+            pr._reconciliation404Confirmed = true;
+          }
+        }
+        return currentPrs;
+      });
+    }
+  }
+
+  return { flipped, confirmedDeleted, skipped, errored };
+}
+
 module.exports = {
   pollPrStatus,
   pollPrHumanComments,
   reconcilePrs,
+  reconcileAbandonedPrs, // W-mp60tw0u000j3931 — one-shot startup re-probe of abandoned PRs
   checkLiveReviewStatus,
   checkLiveBuildAndConflict,
   isGhThrottled,

package/engine/shared.js

@@ -60,6 +60,11 @@ const MINIONS_DIR = process.env.MINIONS_TEST_DIR || resolveMinionsHome(false, {
 const ENGINE_DIR = path.join(MINIONS_DIR, 'engine');
 const CONTROL_PATH = path.join(ENGINE_DIR, 'control.json');
 const COOLDOWNS_PATH = path.join(ENGINE_DIR, 'cooldowns.json');
+// W-mp60tw0u000j3931: Persistent cross-restart engine state (migration markers,
+// one-shot reconciliation versions, etc.). Distinct from CONTROL_PATH which is
+// process-lifetime (state/pid/ownerToken). See ENGINE_DEFAULTS.abandonedReconciliationVersion
+// for the first consumer.
+const ENGINE_STATE_PATH = path.join(ENGINE_DIR, 'state.json');
 const PR_LINKS_PATH = path.join(MINIONS_DIR, 'engine', 'pr-links.json');
 const PINNED_ITEMS_PATH = path.join(MINIONS_DIR, 'engine', 'kb-pins.json');
 const LOG_PATH = path.join(MINIONS_DIR, 'engine', 'log.json');
@@ -725,6 +730,22 @@ function mutateControl(mutator) {
   }, { defaultValue: { state: 'stopped', pid: null }, skipWriteIfUnchanged: true });
 }
 
+// W-mp60tw0u000j3931: Lock-safe read-modify-write for engine/state.json — the
+// persistent cross-restart engine-level state file (migration markers,
+// one-shot reconciliation versions, etc.). Mirrors mutateControl's shape.
+function mutateEngineState(mutator) {
+  return mutateJsonFileLocked(ENGINE_STATE_PATH, (data) => {
+    if (!data || typeof data !== 'object' || Array.isArray(data)) data = {};
+    return mutator(data) || data;
+  }, { defaultValue: {}, skipWriteIfUnchanged: true });
+}
+
+function readEngineState() {
+  const data = safeJson(ENGINE_STATE_PATH);
+  if (!data || typeof data !== 'object' || Array.isArray(data)) return {};
+  return data;
+}
+
 function mutateCooldowns(mutator) {
   return mutateJsonFileLocked(COOLDOWNS_PATH, (data) => {
     if (!data || typeof data !== 'object' || Array.isArray(data)) data = {};
@@ -1101,6 +1122,15 @@ const ENGINE_DEFAULTS = {
   // → no flip), so the constant is GitHub-only today but lives in shared defaults so a future
   // ADO change can adopt the same semantics.
   prAbandonConfirmCount: 3,
+  // W-mp60tw0u000j3931: One-shot startup reconciliation pass for `abandoned` PRs runs
+  // exactly once per bump of this constant. The engine compares this value against
+  // engine/state.json:lastAbandonedReconciliationVersion at boot; if the on-disk version
+  // is lower, every project's pull-requests.json is scanned, every abandoned PR is
+  // re-probed, and any false-flipped PRs (e.g. transient 404 victims from before the
+  // hardening in W-mp5trwh60008386d shipped) are flipped back to active/merged/closed
+  // based on their live API state. Bump this when reconciliation logic itself changes
+  // and we want it to re-run once on every install.
+  abandonedReconciliationVersion: 1,
   watchesIncludeBehindBy: false, // opt-in: when true, GitHub PR poll calls /compare/{base}...{head} once per pr per pollPrStatusEvery cadence to populate pr.behindBy (powers the `behind-master` watch predicate). Off by default to avoid the extra API call. ADO PRs always get null (no commit-graph walk yet).
   autoCompletePrs: false, // auto-merge PRs when builds green + review approved (opt-in)
   prMergeMethod: 'squash', // merge method: squash, merge, rebase
@@ -2305,6 +2335,11 @@ function sanitizePath(file, baseDir) {
 
 const _DANGEROUS_KEYS = new Set(['__proto__', 'constructor', 'prototype']);
 
+// DoS caps for the recursive walk. Reaching either limit is treated as
+// "dangerous" — see hasDangerousKey() for rationale (P-e8b1d3a6 / F6).
+const HAS_DANGEROUS_KEY_MAX_DEPTH = 64;
+const HAS_DANGEROUS_KEY_MAX_NODES = 10000;
+
 /**
  * Detect the presence of prototype-pollution attack keys in a JSON-decoded payload.
  *
@@ -2315,43 +2350,55 @@ const _DANGEROUS_KEYS = new Set(['__proto__', 'constructor', 'prototype']);
  * but downstream code that shallow-merges the payload into a target object
  * CAN elevate it into a prototype write.
  *
- * Contract is **rejection, not sanitization**: we inspect the top level plus
- * one level deep and return a boolean. Deeper walks are intentionally skipped
- * to avoid their own DoS pathologies on adversarial inputs.
+ * Contract is **rejection, not sanitization**: we walk the full tree and
+ * return a boolean. To avoid DoS via deeply-nested or pathologically-wide
+ * inputs (stack exhaustion, unbounded CPU), the walk is capped:
+ *
+ * - Recursion depth > {@link HAS_DANGEROUS_KEY_MAX_DEPTH} (64) → return true.
+ * - Total visited nodes > {@link HAS_DANGEROUS_KEY_MAX_NODES} (10000) → return true.
+ *   Every recursive call counts (including primitive leaves and array elements),
+ *   so a pathologically wide payload trips the cap even if no key is dangerous.
+ *
+ * Returning `true` on overflow is the safe-by-default policy: the sole
+ * caller (dashboard.js request-body guard) rejects on `true`, so degrading
+ * to rejection is conservative. The caps also protect against cyclic
+ * objects, since each visit increments the node counter.
  *
  * - Null / undefined / primitives → false.
  * - Arrays are transparent: each element is checked at the same depth as the
- *   array itself (an array does NOT consume a depth level).
- * - Max object nesting inspected: 1. Dangerous keys at object-depth 2+
- *   are intentionally NOT flagged.
+ *   array itself (an array does NOT consume a depth level), but each element
+ *   visit increments the node counter.
  * - Never mutates the input.
  *
  * @param {*} obj - any JSON-decoded value
  * @param {number} [_depth=0] - internal recursion counter; do not pass externally
- * @returns {boolean} true if any forbidden key is present at object-depth ≤ 1
+ * @param {{n:number}} [_nodeCount={n:0}] - internal mutable node counter; do not pass externally
+ * @returns {boolean} true if any forbidden key is present, or if the depth/node cap is exceeded
  */
-function hasDangerousKey(obj, _depth = 0) {
+function hasDangerousKey(obj, _depth = 0, _nodeCount = { n: 0 }) {
+  // DoS caps: count EVERY visited node (including primitive leaves and
+  // array elements per F6 contract), and bail conservatively on either cap.
+  // Returning `true` on overflow is the safe-by-default policy since the
+  // sole caller (dashboard.js request-body guard) rejects on `true`.
+  if (++_nodeCount.n > HAS_DANGEROUS_KEY_MAX_NODES) return true;
+  if (_depth > HAS_DANGEROUS_KEY_MAX_DEPTH) return true;
+
   if (obj === null || obj === undefined || typeof obj !== 'object') return false;
 
   // Arrays are transparent — preserve depth when recursing into elements.
   if (Array.isArray(obj)) {
     for (const elt of obj) {
-      if (hasDangerousKey(elt, _depth)) return true;
+      if (hasDangerousKey(elt, _depth, _nodeCount)) return true;
     }
     return false;
   }
 
-  // Object: check own keys at the current depth.
+  // Object: check own keys at the current depth, then recurse into values.
   for (const key of Object.keys(obj)) {
     if (_DANGEROUS_KEYS.has(key)) return true;
   }
-
-  // Stop after one level of object nesting. Deeper recursion is an explicit
-  // non-goal (see DoS note in the header).
-  if (_depth >= 1) return false;
-
   for (const v of Object.values(obj)) {
-    if (hasDangerousKey(v, _depth + 1)) return true;
+    if (hasDangerousKey(v, _depth + 1, _nodeCount)) return true;
   }
   return false;
 }
@@ -3664,6 +3711,7 @@ module.exports = {
   openUrlInBrowser,
   CONTROL_PATH,
   COOLDOWNS_PATH,
+  ENGINE_STATE_PATH, // W-mp60tw0u000j3931
   PR_LINKS_PATH,
   PINNED_ITEMS_PATH,
   LOG_PATH,
@@ -3691,6 +3739,8 @@ module.exports = {
   withFileLock,
   mutateJsonFileLocked,
   mutateControl,
+  mutateEngineState, // W-mp60tw0u000j3931
+  readEngineState,   // W-mp60tw0u000j3931
   mutateCooldowns,
   mutateWorkItems,
   reopenWorkItem,
@@ -3789,6 +3839,8 @@ module.exports = {
   isAllowedOrigin,
   buildSecurityHeaders,
   hasDangerousKey,
+  HAS_DANGEROUS_KEY_MAX_DEPTH,
+  HAS_DANGEROUS_KEY_MAX_NODES,
   validateProjectName,
   validateProjectPath,
   validatePid,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@yemi33/minions",
-  "version": "0.1.1948",
+  "version": "0.1.1950",
   "description": "Multi-agent AI dev team that runs from ~/.minions/ — five autonomous agents share a single engine, dashboard, and knowledge base",
   "bin": {
     "minions": "bin/minions.js"