@yemi33/minions 0.1.1949 → 0.1.1951

package/engine/lifecycle.js

@@ -921,10 +921,17 @@ function syncPrsFromOutput(output, agentId, meta, config, opts = {}) {
               kind: 'positive-signal',
               body: `Closing duplicate — ${duplicateOnBranch.id} already tracks this branch.`,
             });
-            // Shell-quote the body — `dupComment` contains only ascii safe chars
-            // (the marker is `<!-- minions:agent=engine kind=positive-signal -->`).
-            execAsync(`gh pr close ${prId} --repo ${ghSlug} --comment ${JSON.stringify(dupComment)}`, { timeout: 15000 })
-              .catch(() => {});
+            // P-a7c4d2e8 (F2): argv-form gh + slug validation. ghSlug is regex-
+            // extracted from agent stdout (untrusted) — must validate. Passing
+            // the comment as a single argv element makes embedded `"`, backticks,
+            // `$()`, and newlines inert.
+            try {
+              const validatedSlug = shared.validateGhSlug(ghSlug);
+              shared.shellSafeGh(['pr', 'close', String(prId), '--repo', validatedSlug, '--comment', dupComment], { timeout: 15000 })
+                .catch(() => {});
+            } catch (validationErr) {
+              log('warn', `Skipping duplicate-PR close: invalid gh slug "${ghSlug.slice(0, 64)}": ${validationErr.message}`);
+            }
           }
         } catch { /* best-effort */ }
         continue;
@@ -1604,21 +1611,64 @@ async function updatePrAfterReview(agentId, pr, project, config, resultSummary,
   // If platform hasn't propagated the vote yet (returns 'pending'), keep current status unchanged.
   // The poller will pick up the real status on the next cycle (~3 min).
   let postReviewStatus = null; // null = don't change
+  let liveStatus = null;
+  const projectObjForChecks = reviewProject || shared.getProjects(config)[0];
+  const hostForChecks = projectObjForChecks?.repoHost || 'ado';
+  const checkFn = hostForChecks === 'github'
+    ? require('./github').checkLiveReviewStatus
+    : require('./ado').checkLiveReviewStatus;
   try {
-    const projectObj = reviewProject || shared.getProjects(config)[0];
-    if (projectObj) {
-      const host = projectObj.repoHost || 'ado';
-      const checkFn = host === 'github'
-        ? require('./github').checkLiveReviewStatus
-        : require('./ado').checkLiveReviewStatus;
-      const liveStatus = await checkFn(reviewPr, projectObj);
-      if (liveStatus && liveStatus !== 'pending') postReviewStatus = liveStatus;
+    if (projectObjForChecks) {
+      liveStatus = await checkFn(reviewPr, projectObjForChecks);
     }
   } catch (e) { log('warn', `Post-review status check for ${reviewPr.id}: ${e.message}`); }
 
+  // Capture the agent's verdict early so we can decide whether to reconcile
+  // the platform vote BEFORE we lock in postReviewStatus.
+  const verdictRaw = reviewVerdictFromCompletion(structuredCompletion) || parseReviewVerdict(resultSummary);
+  const reviewerLower = String(agentId || '').toLowerCase();
+  const authorLower = String(reviewPr.agent || '').toLowerCase();
+  const isSelfReview = !!(reviewerLower && authorLower && reviewerLower === authorLower);
+
+  // W-mp7b1g8q000fea45 — Reconcile stale own negative vote/review on verdict flip.
+  // When the agent flips request_changes → approved, the prior platform vote
+  // (ADO -5/-10 or GH CHANGES_REQUESTED review) is NOT auto-cleared; the live
+  // check above would still report 'changes-requested' / 'waiting' and override
+  // the agent's approved verdict, leaving humans with a misleading red badge.
+  // Actively clear the agent's prior negative on flip, then re-check live so we
+  // never claim approved if some OTHER reviewer (human, different minion
+  // account) still has a negative vote/review on the PR.
+  const prevReviewStatus = reviewPr?.reviewStatus || '';
+  const wasNegative = prevReviewStatus === 'changes-requested' || prevReviewStatus === 'waiting'
+    || liveStatus === 'changes-requested' || liveStatus === 'waiting';
+  if (verdictRaw === 'approved' && !isSelfReview && wasNegative && projectObjForChecks) {
+    try {
+      const reconcileFn = hostForChecks === 'github'
+        ? require('./github').dismissPriorViewerChangesRequestedReviews
+        : require('./ado').resetReviewerNegativeVote;
+      if (typeof reconcileFn === 'function') {
+        const result = await reconcileFn(reviewPr, projectObjForChecks);
+        const cleared = !!(result && (result.changed || result.dismissed > 0));
+        if (cleared) {
+          // Re-check live so a remaining negative from another reviewer still
+          // wins. If recheck fails, keep the prior liveStatus (conservative).
+          try {
+            const recheck = await checkFn(reviewPr, projectObjForChecks);
+            if (recheck != null) liveStatus = recheck;
+          } catch (e) { log('warn', `Post-reset live re-check for ${reviewPr.id}: ${e.message}`); }
+          log('info', `PR ${reviewPr.id}: cleared stale ${hostForChecks} negative vote/review by ${reviewerName} on flip → live now ${liveStatus}`);
+        }
+      }
+    } catch (e) {
+      log('warn', `Vote reconciliation for ${reviewPr.id}: ${e.message}`);
+    }
+  }
+
+  if (liveStatus && liveStatus !== 'pending') postReviewStatus = liveStatus;
+
   // Fallback: if live check returned pending (e.g., GitHub self-approval blocked), use the agent's completion report.
   if (!postReviewStatus) {
-    const verdict = reviewVerdictFromCompletion(structuredCompletion) || parseReviewVerdict(resultSummary);
+    const verdict = verdictRaw;
     if (verdict) {
       // P-e1c8a9d2 — Refuse self-review APPROVE: an agent approving their own PR
       // is meaningless self-promotion (PR #1867/#1868/#2253 all shipped this way).
@@ -1628,9 +1678,7 @@ async function updatePrAfterReview(agentId, pr, project, config, resultSummary,
       // the verdict and skips the no-verdict retry path, so _retryCount stays
       // unchanged. REQUEST_CHANGES from a self-author is still accepted — a
       // self-author flagging issues on their own PR is harmless and useful.
-      const reviewerLower = String(agentId || '').toLowerCase();
-      const authorLower = String(reviewPr.agent || '').toLowerCase();
-      if (verdict === 'approved' && reviewerLower && authorLower && reviewerLower === authorLower) {
+      if (verdict === 'approved' && isSelfReview) {
         log('warn', `review verdict rejected: self-review (reviewer=${reviewerName}, author=${reviewPr.agent})`);
       } else {
         postReviewStatus = verdict;
@@ -2038,6 +2086,16 @@ async function rebaseBranchOntoMain(pr, project, config) {
   const root = path.resolve(project.localPath);
   const mainBranch = shared.resolveMainBranch(root, project.mainBranch);
   const branch = pr.branch;
+  // P-a7c4d2e8 (F3): defense-in-depth — validate refs before any git command
+  // even though sanitizeBranch ran upstream. Older state may carry poisoned refs.
+  let validatedBranch, validatedMain;
+  try {
+    validatedBranch = shared.validateGitRef(branch);
+    validatedMain = shared.validateGitRef(mainBranch);
+  } catch (refErr) {
+    log('warn', `Post-merge rebase: refusing invalid ref (${refErr.message})`);
+    return { success: false, error: refErr.message };
+  }
   const wtRoot = path.resolve(root, config.engine?.worktreeRoot || ENGINE_DEFAULTS.worktreeRoot);
   const tmpWt = path.join(wtRoot, `rebase-${shared.sanitizeBranch(branch)}-${Date.now()}`).replace(/\\/g, '/');
   const _gitOpts = { cwd: root, timeout: 30000, windowsHide: true };
@@ -2054,34 +2112,34 @@ async function rebaseBranchOntoMain(pr, project, config) {
   }
 
   try {
-    await execAsync(`git fetch origin "${mainBranch}" "${branch}"`, _gitOpts);
+    await shared.shellSafeGit(['fetch', 'origin', validatedMain, validatedBranch], _gitOpts);
     try {
-      await execAsync(`git worktree add "${tmpWt}" "${branch}"`, { ..._gitOpts, timeout: 60000 });
+      await shared.shellSafeGit(['worktree', 'add', tmpWt, validatedBranch], { ..._gitOpts, timeout: 60000 });
     } catch (wtErr) {
       // Branch may already be checked out in a stale worktree — prune and retry once
       if (String(wtErr.message || wtErr).includes('already checked out')) {
-        await execAsync(`git worktree prune`, _gitOpts);
-        await execAsync(`git worktree add "${tmpWt}" "${branch}"`, { ..._gitOpts, timeout: 60000 });
+        await shared.shellSafeGit(['worktree', 'prune'], _gitOpts);
+        await shared.shellSafeGit(['worktree', 'add', tmpWt, validatedBranch], { ..._gitOpts, timeout: 60000 });
       } else { throw wtErr; }
     }
   } catch (err) {
     log('warn', `Post-merge rebase: setup failed for ${branch}: ${err.message}`);
-    try { await execAsync(`git worktree remove "${tmpWt}" --force`, _gitOpts); } catch {}
+    try { await shared.shellSafeGit(['worktree', 'remove', tmpWt, '--force'], _gitOpts); } catch {}
     return { success: false, error: err.message };
   }
 
   try {
-    await execAsync(`git rebase "origin/${mainBranch}"`, { cwd: tmpWt, timeout: 120000, windowsHide: true });
-    await execAsync(`git push --force-with-lease origin "${branch}"`, { cwd: tmpWt, timeout: 30000, windowsHide: true });
+    await shared.shellSafeGit(['rebase', `origin/${validatedMain}`], { cwd: tmpWt, timeout: 120000, windowsHide: true });
+    await shared.shellSafeGit(['push', '--force-with-lease', 'origin', validatedBranch], { cwd: tmpWt, timeout: 30000, windowsHide: true });
     log('info', `Post-merge rebase: rebased ${branch} onto ${mainBranch} and force-pushed`);
     return { success: true };
   } catch (err) {
-    try { await execAsync(`git rebase --abort`, { cwd: tmpWt, timeout: 10000, windowsHide: true }); } catch {}
+    try { await shared.shellSafeGit(['rebase', '--abort'], { cwd: tmpWt, timeout: 10000, windowsHide: true }); } catch {}
     log('warn', `Post-merge rebase failed for ${branch}: ${err.message}`);
     return { success: false, error: err.message };
   } finally {
     try { shared.removeWorktree(tmpWt, root, wtRoot); } catch {}
-    try { await execAsync(`git worktree prune`, _gitOpts); } catch {}
+    try { await shared.shellSafeGit(['worktree', 'prune'], _gitOpts); } catch {}
   }
 }
 
@@ -3194,9 +3252,60 @@ async function runPostCompletionHooks(dispatchItem, agentId, code, stdout, confi
   let { resultSummary, taskUsage, sessionId, model } = parseAgentOutput(stdout, runtimeName);
 
   // Prefer the sidecar completion report; keep fenced output as a compatibility fallback.
-  const reportCompletion = parseCompletionReportFile(dispatchItem, { warnIfMissing: true });
-  const fencedCompletion = reportCompletion ? null : parseStructuredCompletion(stdout, runtimeName);
-  const summaryCompletion = reportCompletion || fencedCompletion ? null : parseCompletionFieldSummary(resultSummary);
+  let reportCompletion = parseCompletionReportFile(dispatchItem, { warnIfMissing: true });
+
+  // P-d2a8f6c1 (agent trust boundary F8): validate the per-spawn nonce. The
+  // engine injects MINIONS_COMPLETION_NONCE per spawn and stamps it on the
+  // active-process record; here we compare it against the JSON report's
+  // `nonce` field. A mismatch means the report was forged (e.g. a prompt-
+  // injected agent wrote into a sibling agent's completion path) — discard
+  // every signal it carries (PR attachment, noop, status, retryable, …) and
+  // mark the dispatch failed with the dedicated failure_class. A missing
+  // nonce degrades to a warning by default for one release; flip
+  // ENGINE_DEFAULTS.completionNonceRequired (or engine.completionNonceRequired
+  // in config.json) to true to hard-fail missing nonces too. Mismatched
+  // nonces always hard-fail regardless of the flag. The fenced/summary
+  // fallbacks share the same trust boundary — once the JSON sidecar is
+  // proven untrusted, we don't fall back to stdout-derived completions
+  // either, since they cannot prove provenance.
+  let nonceMismatch = null;
+  const expectedNonce = (opts && typeof opts.expectedNonce === 'string' && opts.expectedNonce) ? opts.expectedNonce : null;
+  const completionNonceRequired = !!(opts && opts.completionNonceRequired);
+  if (expectedNonce && reportCompletion) {
+    const reportNonce = typeof reportCompletion.nonce === 'string' ? reportCompletion.nonce : null;
+    const wiId = dispatchItem.meta?.item?.id || 'N/A';
+    if (!reportNonce) {
+      if (completionNonceRequired) {
+        const reason = `Completion report missing required nonce for dispatch ${dispatchItem.id}`;
+        log('error', `[security] completion-nonce-missing dispatch=${dispatchItem.id} agent=${agentId || 'unknown'} wi=${wiId} required=true`);
+        nonceMismatch = {
+          severity: 'hard',
+          failureClass: shared.FAILURE_CLASS.COMPLETION_NONCE_MISMATCH,
+          reason,
+          kind: 'missing',
+        };
+      } else {
+        log('warn', `[security] completion-nonce-missing dispatch=${dispatchItem.id} agent=${agentId || 'unknown'} wi=${wiId} required=false (degraded — report honored)`);
+      }
+    } else if (reportNonce !== expectedNonce) {
+      const reason = `Completion report nonce mismatch for dispatch ${dispatchItem.id} — treating completion as untrusted`;
+      const expectedShort = expectedNonce.slice(0, 8);
+      const gotShort = String(reportNonce).slice(0, 8);
+      log('error', `[security] completion-nonce-mismatch dispatch=${dispatchItem.id} agent=${agentId || 'unknown'} wi=${wiId} expected=${expectedShort} got=${gotShort}`);
+      nonceMismatch = {
+        severity: 'hard',
+        failureClass: shared.FAILURE_CLASS.COMPLETION_NONCE_MISMATCH,
+        reason,
+        kind: 'mismatch',
+      };
+    }
+  }
+  if (nonceMismatch) {
+    reportCompletion = null;
+  }
+
+  const fencedCompletion = (nonceMismatch || reportCompletion) ? null : parseStructuredCompletion(stdout, runtimeName);
+  const summaryCompletion = (nonceMismatch || reportCompletion || fencedCompletion) ? null : parseCompletionFieldSummary(resultSummary);
   const fallbackCompletion = fencedCompletion || summaryCompletion;
   const fallbackSource = fencedCompletion && hasCompletionFence(stdout, runtimeName) ? 'fenced-completion' : 'summary-completion';
   // P-c8f5e1b3 — telemetry: completion-fallback. Emit a grep-able log + bump a
@@ -3259,19 +3368,27 @@ async function runPostCompletionHooks(dispatchItem, agentId, code, stdout, confi
 
   const completionStatus = normalizeCompletionStatus(structuredCompletion?.status);
   const agentNeedsRerun = parseCompletionBoolean(structuredCompletion?.needs_rerun ?? structuredCompletion?.needsRerun) === true;
-  const agentReportedFailure = completionStatus.startsWith('fail')
+  // P-d2a8f6c1: a nonce mismatch always counts as an agent-reported failure
+  // (regardless of what the discarded report claimed). This forces both the
+  // effectiveSuccess gate below and the dispatch result in engine.js to ERROR.
+  const agentReportedFailure = !!nonceMismatch
+    || completionStatus.startsWith('fail')
     || completionStatus === 'error'
     || hasActionableFailureClass(structuredCompletion?.failure_class)
     || agentNeedsRerun;
-  const agentRetryable = parseCompletionBoolean(structuredCompletion?.retryable);
+  // Untrusted completions cannot be honored as "retryable" by the agent — its
+  // retryable claim was discarded with the rest of the report. Force false.
+  const agentRetryable = nonceMismatch ? false : parseCompletionBoolean(structuredCompletion?.retryable);
 
   // Auto-recover: if a failed implement/fix/test agent created PRs, it likely succeeded before the failure surfaced.
+  // P-d2a8f6c1: skip auto-recovery for nonce-mismatched dispatches — a forged
+  // report shouldn't be able to ride PRs into a "done" status.
   const prCreatingType = type === WORK_TYPE.IMPLEMENT || type === WORK_TYPE.IMPLEMENT_LARGE || type === WORK_TYPE.FIX || type === WORK_TYPE.TEST;
-  const autoRecovered = !agentReportedFailure && !isSuccess && prsCreatedCount > 0 && prCreatingType && !!meta?.item?.id;
+  const autoRecovered = !nonceMismatch && !agentReportedFailure && !isSuccess && prsCreatedCount > 0 && prCreatingType && !!meta?.item?.id;
   if (autoRecovered) {
     log('info', `Auto-recovery: agent failed but created ${prsCreatedCount} PR(s) — upgrading ${meta.item.id} to done`);
   }
-  const effectiveSuccess = (isSuccess && !agentReportedFailure) || autoRecovered;
+  const effectiveSuccess = !nonceMismatch && ((isSuccess && !agentReportedFailure) || autoRecovered);
 
   let nonCleanReportWritten = false;
   if (completionStatus.startsWith('partial') || autoRecovered || (agentReportedFailure && isSuccess)) {
@@ -3696,7 +3813,7 @@ async function runPostCompletionHooks(dispatchItem, agentId, code, stdout, confi
   const metricsResult = isAutoRetry ? 'retry' : finalResult;
   updateMetrics(agentId, dispatchItem, metricsResult, taskUsage, prsCreatedCount, model);
 
-  return { resultSummary, taskUsage, autoRecovered, structuredCompletion, completionContractFailure, agentReportedFailure, agentRetryable };
+  return { resultSummary, taskUsage, autoRecovered, structuredCompletion, completionContractFailure, agentReportedFailure, agentRetryable, nonceMismatch };
 }
 
 // ─── PR → PRD Status Sync ─────────────────────────────────────────────────────

package/engine/playbook.js

@@ -451,6 +451,23 @@ function renderPlaybook(type, vars) {
     }
   }
 
+  // W-mp68q6ke0010de68 — opt-in keep_processes hint. Injected only when the
+  // dispatcher set vars.keep_processes (truthy) from the work item's
+  // `meta.keep_processes`. Built via the keep-process-sweep module so the
+  // copy stays in sync with the engine-side caps it actually enforces.
+  if (vars.keep_processes) {
+    try {
+      const keepProcessSweep = require('./keep-process-sweep');
+      const hint = keepProcessSweep.buildKeepProcessesHint({
+        agentId: vars.agent_id,
+        workItemId: vars.item_id || vars.task_id,
+        ttlMinutes: vars.keep_processes_ttl_minutes,
+        minionsDir: MINIONS_DIR,
+      });
+      if (hint) inertAppendices.push(hint);
+    } catch (e) { log('warn', `keep_processes hint render failed: ${e.message}`); }
+  }
+
   // Inject KB guardrail
   content += `\n\n---\n\n## Knowledge Base Rules\n\n`;
   content += `**Never delete, move, or overwrite files in \`knowledge/\`.** The sweep (consolidation engine) is the only process that writes to \`knowledge/\`. If you think a KB file is wrong, note it in your learnings file — do not touch \`knowledge/\` directly.\n`;

package/engine/queries.js

@@ -1526,6 +1526,75 @@ function resetPrdInfoCache() {
   _prdResultInputHash = '';
 }
 
+// ── Project git status (current branch + dirty/detached) ──────────────────
+// Cached per resolved localPath with a 30s TTL so /api/status doesn't shell
+// out to git on every poll. Mirrors the cache shape used by getDiskVersion in
+// dashboard.js (TTL + cached map). All git invocations pipe stderr to suppress
+// the `fatal: not a git repository` noise on non-git project paths — same
+// requirement enforced for install/boot paths in
+// test/unit/runtime-fleet-helpers.test.js:465.
+const _projectGitStatusCache = new Map();
+const PROJECT_GIT_STATUS_TTL = 30000; // 30s
+
+function _gitExec(localPath, args) {
+  const { execFileSync } = require('child_process');
+  return execFileSync('git', ['-C', localPath, ...args], {
+    encoding: 'utf8',
+    timeout: 10000,
+    windowsHide: true,
+    stdio: ['pipe', 'pipe', 'pipe'],
+  });
+}
+
+function getProjectGitStatus(localPath) {
+  const key = String(localPath || '').replace(/\\/g, '/');
+  if (!key) return { gitBranch: null, gitDetached: false, gitDirty: false, gitState: 'missing' };
+  const now = Date.now();
+  const cached = _projectGitStatusCache.get(key);
+  if (cached && (now - cached.ts) < PROJECT_GIT_STATUS_TTL) return cached.value;
+
+  let value = { gitBranch: null, gitDetached: false, gitDirty: false, gitState: 'missing' };
+  try {
+    if (!fs.existsSync(localPath)) {
+      // missing — cache the negative result
+    } else {
+      let isRepo = false;
+      try {
+        const out = _gitExec(localPath, ['rev-parse', '--is-inside-work-tree']).trim();
+        isRepo = out === 'true';
+      } catch { isRepo = false; }
+      if (!isRepo) {
+        value = { gitBranch: null, gitDetached: false, gitDirty: false, gitState: 'non-git' };
+      } else {
+        let branch = null;
+        let detached = false;
+        try {
+          branch = _gitExec(localPath, ['rev-parse', '--abbrev-ref', 'HEAD']).trim() || null;
+        } catch { branch = null; }
+        if (branch === 'HEAD') {
+          detached = true;
+          try { branch = _gitExec(localPath, ['rev-parse', '--short', 'HEAD']).trim() || null; }
+          catch { branch = null; }
+        }
+        let dirty = false;
+        try {
+          const status = _gitExec(localPath, ['status', '--porcelain', '--untracked-files=no']);
+          dirty = status.length > 0;
+        } catch { dirty = false; }
+        value = { gitBranch: branch, gitDetached: detached, gitDirty: dirty, gitState: 'ok' };
+      }
+    }
+  } catch {
+    // Defensive — never let a git probe failure break /api/status
+    value = { gitBranch: null, gitDetached: false, gitDirty: false, gitState: 'missing' };
+  }
+  _projectGitStatusCache.set(key, { ts: now, value });
+  return value;
+}
+
+/** Reset project git-status cache — exported for testing */
+function resetProjectGitStatusCache() { _projectGitStatusCache.clear(); }
+
 // ── Exports ─────────────────────────────────────────────────────────────────
 
 module.exports = {
@@ -1538,7 +1607,9 @@ module.exports = {
   readHeadTail, // exported for testing
   detectInFlightTool, // exported for testing
   resetPrdInfoCache,
+  resetProjectGitStatusCache,
   invalidateKnowledgeBaseCache,
+  getProjectGitStatus,
 
   // Core state
   getConfig, getControl, getDispatch, getDispatchQueue, getDispatchCompletionReport, invalidateDispatchCache,

package/engine/recovery.js

@@ -76,6 +76,12 @@ const RECOVERY_RECIPES = new Map([
     freshSession: true,
     description: 'Context exhausted — retry with fresh session, flag if repeated',
   }],
+  [FAILURE_CLASS.WORKTREE_PREFLIGHT, {
+    maxAttempts: 0,
+    escalation: ESCALATION_POLICY.NO_RETRY,
+    freshSession: false,
+    description: 'Worktree preflight rejected — same inputs will recompute to the same rejection (drive-root rootDir, nested-in-project worktree). Fix the dispatch (attach a project, move MINIONS_DIR, or override engine.worktreeRoot) before retrying.',
+  }],
   [FAILURE_CLASS.UNKNOWN, {
     maxAttempts: null, // null = fall back to ENGINE_DEFAULTS.maxRetries
     escalation: ESCALATION_POLICY.AUTO,