@yemi33/minions 0.1.1984 → 0.1.1986

package/engine/github.js

@@ -35,6 +35,29 @@ function _setExecAsyncForTest(fn) {
   _execAsyncOverride = (typeof fn === 'function') ? fn : null;
 }
 
+// P-f2-gh-shell (F2): parallel test seam for argv-form (shellSafeGh) shell-outs.
+// The legacy `_runExec` seam intercepts shell-string `gh api ...` invocations,
+// but the F2 conversion routes ghApi / build-log fetch / dismiss-review through
+// shared.shellSafeGh (execFile, shell:false). New tests can mock at the argv
+// level via `_setShellSafeGhForTest`; pre-existing tests that mock the shell-string
+// layer keep working because `_runShellSafeGh` falls back to the legacy override
+// by synthesizing a cmd string from argv (quoting any non-trivial argument so
+// existing `/"repos\/owner\/repo"$/`-style route patterns still match).
+let _shellSafeGhOverride = null;
+function _runShellSafeGh(args, opts) {
+  if (_shellSafeGhOverride) return _shellSafeGhOverride(args, opts);
+  if (_execAsyncOverride) {
+    const cmd = ['gh', ...args]
+      .map(a => /^[A-Za-z0-9_=.-]+$/.test(String(a)) ? String(a) : `"${String(a)}"`)
+      .join(' ');
+    return _execAsyncOverride(cmd, opts);
+  }
+  return shared.shellSafeGh(args, opts);
+}
+function _setShellSafeGhForTest(fn) {
+  _shellSafeGhOverride = (typeof fn === 'function') ? fn : null;
+}
+
 // ─── Constants ──────────────────────────────────────────────────────────────
 
 // 10 MB — prevents maxBuffer exceeded errors on repos with many open PRs.
@@ -270,11 +293,15 @@ const GH_NOT_FOUND = Object.freeze({ _notFound: true });
  */
 async function ghApi(endpoint, slug, opts = {}) {
   try {
-    const paginateFlag = opts.paginate ? ' --paginate' : '';
-    const cmd = `gh api${paginateFlag} "repos/${slug}${endpoint}"`;
+    // P-f2-gh-shell (F2): argv form via shellSafeGh — eliminates shell
+    // interpolation of slug/endpoint. validateGhSlug + validateGhEndpoint
+    // reject shell metacharacters before they reach child_process.
+    const args = ['api'];
+    if (opts.paginate) args.push('--paginate');
+    args.push(`repos/${shared.validateGhSlug(slug)}${shared.validateGhEndpoint(endpoint)}`);
     const token = ghToken.resolveTokenForSlug(slug);
     const env = token ? { ...process.env, GH_TOKEN: token } : undefined;
-    const result = await _runExec(cmd, { timeout: opts.timeout || 30000, encoding: 'utf-8', maxBuffer: GH_MAX_BUFFER, env });
+    const result = await _runShellSafeGh(args, { timeout: opts.timeout || 30000, maxBuffer: GH_MAX_BUFFER, env });
     const parsed = JSON.parse(result);
     _ghThrottle.recordSuccess();
     return parsed;
@@ -340,12 +367,18 @@ async function fetchGhBuildErrorLog(slug, failedRuns) {
         }
       } catch { /* fall through to job log */ }
 
-      // Always fetch job log — annotations alone often lack test failure details
+      // Always fetch job log — annotations alone often lack test failure details.
+      // P-f2-gh-shell (F2): argv form via shellSafeGh. validateJobId rejects
+      // non-integer run.id values before they reach child_process. Stderr is
+      // captured via shellSafeGh's execFile path (stderr surfaces on the thrown
+      // Error in the catch block) instead of a `2>&1` shell redirect, which is
+      // moot once shell:false is in effect.
       try {
-        const cmd = `gh api "repos/${slug}/actions/jobs/${run.id}/logs" 2>&1`;
+        const jobId = shared.validateJobId(run.id);
+        const args = ['api', `repos/${shared.validateGhSlug(slug)}/actions/jobs/${jobId}/logs`];
         const token = ghToken.resolveTokenForSlug(slug);
         const env = token ? { ...process.env, GH_TOKEN: token } : undefined;
-        const result = await _runExec(cmd, { timeout: 15000, encoding: 'utf-8', maxBuffer: GH_MAX_BUFFER, env });
+        const result = await _runShellSafeGh(args, { timeout: 15000, maxBuffer: GH_MAX_BUFFER, env });
         if (result && !result.includes('Not Found')) {
           logParts.push(`--- ${run.name || 'Check'} (log) ---\n${result}`);
         }
@@ -1235,26 +1268,45 @@ async function dismissPriorViewerChangesRequestedReviews(pr, project) {
     const os = require('os');
     let dismissed = 0;
     let errors = 0;
-    for (const reviewId of targets) {
-      tmpFile = path.join(os.tmpdir(), `gh-review-dismiss-${process.pid}-${Date.now()}-${reviewId}.json`);
-      const body = JSON.stringify({
-        message: 'Superseded by Minions re-review (verdict flipped to APPROVE).',
-        event: 'DISMISS',
-      });
-      try {
-        fs.writeFileSync(tmpFile, body);
-        const cmd = `gh api -X PUT --input "${tmpFile}" "repos/${slug}/pulls/${prNum}/reviews/${reviewId}/dismissals"`;
-        const token = ghToken.resolveTokenForSlug(slug);
-        const env = token ? { ...process.env, GH_TOKEN: token } : undefined;
-        await _runExec(cmd, { timeout: 10000, encoding: 'utf-8', maxBuffer: GH_MAX_BUFFER, env });
-        dismissed += 1;
-        log('info', `PR ${pr.id}: dismissed prior CHANGES_REQUESTED review ${reviewId} by ${viewerLogin}`);
-      } catch (e) {
-        errors += 1;
-        log('warn', `PR ${pr.id}: dismiss review ${reviewId} failed: ${e?.message || e}`);
-      } finally {
-        try { fs.unlinkSync(tmpFile); } catch {}
-        tmpFile = null;
+    // P-f6-tmp-toctou: per-call mkdtempSync dir (random 6-char suffix) closes
+    // the predictable-prefix window on <os.tmpdir>/gh-review-dismiss-* that
+    // an attacker could otherwise plant as a symlink.
+    // P-f2-gh-shell: argv form via shellSafeGh — validates slug, prNum, and
+    // reviewId so a poisoned PR record can't smuggle shell metacharacters.
+    let scopedDir = null;
+    try {
+      scopedDir = fs.mkdtempSync(path.join(os.tmpdir(), 'gh-review-dismiss-'));
+      if (process.platform !== 'win32') {
+        try { fs.chmodSync(scopedDir, 0o700); } catch { /* best-effort */ }
+      }
+      for (const reviewId of targets) {
+        tmpFile = path.join(scopedDir, `dismiss-${reviewId}.json`);
+        const body = JSON.stringify({
+          message: 'Superseded by Minions re-review (verdict flipped to APPROVE).',
+          event: 'DISMISS',
+        });
+        try {
+          fs.writeFileSync(tmpFile, body);
+          const args = [
+            'api', '-X', 'PUT', '--input', tmpFile,
+            `repos/${shared.validateGhSlug(slug)}/pulls/${shared.validatePrNum(prNum)}/reviews/${shared.validateReviewId(reviewId)}/dismissals`,
+          ];
+          const token = ghToken.resolveTokenForSlug(slug);
+          const env = token ? { ...process.env, GH_TOKEN: token } : undefined;
+          await _runShellSafeGh(args, { timeout: 10000, maxBuffer: GH_MAX_BUFFER, env });
+          dismissed += 1;
+          log('info', `PR ${pr.id}: dismissed prior CHANGES_REQUESTED review ${reviewId} by ${viewerLogin}`);
+        } catch (e) {
+          errors += 1;
+          log('warn', `PR ${pr.id}: dismiss review ${reviewId} failed: ${e?.message || e}`);
+        } finally {
+          try { fs.unlinkSync(tmpFile); } catch {}
+          tmpFile = null;
+        }
+      }
+    } finally {
+      if (scopedDir) {
+        try { fs.rmSync(scopedDir, { recursive: true, force: true }); } catch {}
       }
     }
     return { attempted: true, dismissed, errors };
@@ -1515,5 +1567,6 @@ module.exports = {
   _setCachedViewerLogin, // exported for testing (W-mp3bp0ha000997ab-b backfill)
   _backfillViewerDidAuthor, // exported for testing (W-mp3bp0ha000997ab-b backfill)
   _setExecAsyncForTest, // W-mp5trwh60008386d: test seam to mock `gh api` shell-outs
+  _setShellSafeGhForTest, // P-f2-gh-shell (F2): test seam to mock argv-form gh api calls
   GH_NOT_FOUND, // W-mp5trwh60008386d: exported so tests can assert sentinel propagation
 };

package/engine/issues.js

@@ -327,9 +327,19 @@ function createGitHubIssue({
   const safeTitle = _redactIssueContent(title, { repo, projects: redactionProjects });
   const safeDescription = _redactIssueContent(description || '', { repo, projects: redactionProjects });
   const issueBody = `${safeDescription}\n\n---\n_Filed via Minions dashboard_`;
-  const dir = tmpDir || path.join(__dirname, 'tmp');
-  fs.mkdirSync(dir, { recursive: true });
-  const bodyFile = path.join(dir, `bug-body-${process.pid}-${Date.now()}-${Math.random().toString(36).slice(2)}.md`);
+  // P-f6-tmp-toctou: per-call mkdtempSync dir (under engine/tmp/ for
+  // collocation with other engine tmp state). Random suffix closes the
+  // predictable-prefix window on engine/tmp/bug-body-* that an attacker could
+  // otherwise plant as a symlink.
+  let scopedDir = null;
+  let bodyFile;
+  if (tmpDir) {
+    fs.mkdirSync(tmpDir, { recursive: true });
+    bodyFile = path.join(tmpDir, `bug-body-${process.pid}-${Date.now()}-${Math.random().toString(36).slice(2)}.md`);
+  } else {
+    scopedDir = shared.createDispatchTmpDir(`issues-${process.pid}-${Date.now()}`);
+    bodyFile = path.join(scopedDir, 'bug-body.md');
+  }
   fs.writeFileSync(bodyFile, issueBody);
 
   let resolved;
@@ -377,6 +387,7 @@ function createGitHubIssue({
     throw new GitHubIssueError(`GitHub issue creation failed: ${conciseGhMessage(e)}`);
   } finally {
     try { fs.unlinkSync(bodyFile); } catch {}
+    if (scopedDir) shared.removeDispatchTmpDir(scopedDir);
   }
 }
 

package/engine/lifecycle.js

@@ -12,6 +12,7 @@ const { safeRead, safeJson, safeJsonNoRestore, safeWrite, mutateJsonFileLocked,
   ENGINE_DEFAULTS, DEFAULT_AGENT_METRICS, FAILURE_CLASS } = shared;
 const { trackEngineUsage } = require('./llm');
 const { resolveRuntime } = require('./runtimes');
+const adoGitAuth = require('./ado-git-auth');
 const queries = require('./queries');
 const { isBranchActive } = require('./cooldown');
 const { worktreeMatchesBranch, getWorktreeBranch, cleanupMergedPrLocalBranch } = require('./cleanup');
@@ -271,30 +272,66 @@ function checkPlanCompletion(meta, config) {
         continue;
       }
 
-      // Build per-project setup block
+      // Build per-project setup block.
+      // P-f3-verify-prompt — validate every branch ref before splicing into
+      // the bash setup commands the verify agent will execute. Without this,
+      // a crafted `plan.feature_branch` (e.g. `main; rm -rf ~`) or PR
+      // `branch` field reaches the Bash tool via template literal
+      // interpolation. github.js validates pr.branch on API persistence
+      // (engine/github.js:612-622), but feature_branch has no upstream
+      // validator and mainBranch can fall through unvalidated from project
+      // config when `git rev-parse` can't verify it (shared.js:1328). Defense
+      // in depth lives here, at the actual interpolation site.
       let checkoutBlock;
       let wtPath;
       if (isSharedBranch) {
+        let safeFeatureBranch;
+        try {
+          safeFeatureBranch = shared.validateGitRef(plan.feature_branch);
+        } catch (refErr) {
+          log('error', `Plan ${planFile}: verify dispatch rejected for ${projName} — invalid feature_branch ref: ${refErr.message}. Skipping verify WI creation.`);
+          continue;
+        }
         wtPath = `${p.localPath}/../worktrees/verify-${projName}-${planSlug}`;
-        const featureBranch = plan.feature_branch;
         checkoutBlock = [
           `# ${projName} — shared-branch: use existing feature branch directly`,
           `cd "${p.localPath.replace(/\\/g, '/')}"`,
-          `git fetch origin "${featureBranch}"`,
-          `git worktree add "${wtPath}" "origin/${featureBranch}" 2>/dev/null || (cd "${wtPath}" && git checkout "${featureBranch}" && git pull origin "${featureBranch}")`,
+          `git fetch origin "${safeFeatureBranch}"`,
+          `git worktree add "${wtPath}" "origin/${safeFeatureBranch}" 2>/dev/null || (cd "${wtPath}" && git checkout "${safeFeatureBranch}" && git pull origin "${safeFeatureBranch}")`,
         ].join('\n');
       } else {
+        let safeMainBranch;
+        try {
+          safeMainBranch = shared.validateGitRef(mainBranch);
+        } catch (refErr) {
+          log('error', `Plan ${planFile}: verify dispatch rejected for ${projName} — invalid mainBranch ref: ${refErr.message}. Skipping verify WI creation.`);
+          continue;
+        }
+        const safeBranches = [];
+        let badPrBranch = null;
+        for (const pr of prs) {
+          if (!pr.branch) continue;
+          try {
+            safeBranches.push({ id: pr.id || pr.branch, branch: shared.validateGitRef(pr.branch) });
+          } catch (refErr) {
+            badPrBranch = { id: pr.id || '(unknown)', raw: pr.branch, err: refErr };
+            break;
+          }
+        }
+        if (badPrBranch) {
+          log('error', `Plan ${planFile}: verify dispatch rejected for ${projName} — invalid pr.branch[${badPrBranch.id}] ref: ${badPrBranch.err.message}. Skipping verify WI creation.`);
+          continue;
+        }
         wtPath = `${p.localPath}/../worktrees/verify-${projName}-${planSlug}-${shared.uid()}`;
-        const branches = prs.map(pr => pr.branch).filter(Boolean);
         checkoutBlock = [
-          `# ${projName} — merge ${branches.length} PR branch(es) into one worktree`,
+          `# ${projName} — merge ${safeBranches.length} PR branch(es) into one worktree`,
           `cd "${p.localPath.replace(/\\/g, '/')}"`,
-          branches.length > 0
-            ? `git fetch origin ${branches.map(b => `"${b}"`).join(' ')} "${mainBranch}"`
-            : `git fetch origin "${mainBranch}"`,
-          `git worktree add "${wtPath}" "origin/${mainBranch}" 2>/dev/null || (cd "${wtPath}" && git checkout "${mainBranch}" && git pull origin "${mainBranch}")`,
+          safeBranches.length > 0
+            ? `git fetch origin ${safeBranches.map(({ branch }) => `"${branch}"`).join(' ')} "${safeMainBranch}"`
+            : `git fetch origin "${safeMainBranch}"`,
+          `git worktree add "${wtPath}" "origin/${safeMainBranch}" 2>/dev/null || (cd "${wtPath}" && git checkout "${safeMainBranch}" && git pull origin "${safeMainBranch}")`,
           `cd "${wtPath}"`,
-          ...branches.map(b => `git merge "origin/${b}" --no-edit  # ${prs.find(pr => pr.branch === b)?.id || b}`),
+          ...safeBranches.map(({ id, branch }) => `git merge "origin/${branch}" --no-edit  # ${id}`),
         ].join('\n');
       }
 
@@ -2104,7 +2141,11 @@ async function rebaseBranchOntoMain(pr, project, config) {
   }
   const wtRoot = path.resolve(root, config.engine?.worktreeRoot || ENGINE_DEFAULTS.worktreeRoot);
   const tmpWt = path.join(wtRoot, `rebase-${shared.sanitizeBranch(branch)}-${Date.now()}`).replace(/\\/g, '/');
-  const _gitOpts = { cwd: root, timeout: 30000, windowsHide: true };
+  // W-mpcuc8i80003a7b3 — thread ADO bearer-token args through every remote-touching
+  // git op in the rebase flow so headless post-merge rebase against ADO origin
+  // survives missing GCM creds. For GitHub/local projects this is a no-op.
+  const _gitExtraArgs = adoGitAuth.getAdoGitExtraArgs(project);
+  const _gitOpts = { cwd: root, timeout: 30000, windowsHide: true, gitExtraArgs: _gitExtraArgs };
 
   // Refuse to create a worktree nested in the project root — would cause
   // glob/grep tools running with cwd=root to match both copies of every file
@@ -2135,8 +2176,8 @@ async function rebaseBranchOntoMain(pr, project, config) {
   }
 
   try {
-    await shared.shellSafeGit(['rebase', `origin/${validatedMain}`], { cwd: tmpWt, timeout: 120000, windowsHide: true });
-    await shared.shellSafeGit(['push', '--force-with-lease', 'origin', validatedBranch], { cwd: tmpWt, timeout: 30000, windowsHide: true });
+    await shared.shellSafeGit(['rebase', `origin/${validatedMain}`], { cwd: tmpWt, timeout: 120000, windowsHide: true, gitExtraArgs: _gitExtraArgs });
+    await shared.shellSafeGit(['push', '--force-with-lease', 'origin', validatedBranch], { cwd: tmpWt, timeout: 30000, windowsHide: true, gitExtraArgs: _gitExtraArgs });
     log('info', `Post-merge rebase: rebased ${branch} onto ${mainBranch} and force-pushed`);
     return { success: true };
   } catch (err) {

package/engine/llm.js

@@ -319,10 +319,13 @@ function _spawnProcess(promptText, sysPromptText, callOpts) {
   } = callOpts;
 
   const id = uid();
-  const tmpDir = path.join(ENGINE_DIR, 'tmp');
-  if (!fs.existsSync(tmpDir)) fs.mkdirSync(tmpDir, { recursive: true });
+  // P-f6-tmp-toctou: each direct/indirect LLM call gets its own unguessable
+  // tmp dir (mkdtempSync + chmod 0o700 on POSIX). The whole dir is rm'd by
+  // cleanupFiles consumers via shared.removeDispatchTmpDir.
+  const llmTmpDir = shared.createDispatchTmpDir(`llm-${label || 'call'}-${id}`);
 
   const cleanupFiles = [];
+  const cleanupDirs = [llmTmpDir];
   const caps = (runtime && runtime.capabilities) || {};
   const adapterOpts = {
     model, maxTurns, allowedTools, effort, sessionId,
@@ -346,7 +349,7 @@ function _spawnProcess(promptText, sysPromptText, callOpts) {
     // via --system-prompt-file (Claude) AND we're not resuming (resumed sessions
     // already have the sys prompt baked in).
     if (!sessionId && sysPromptText && caps.systemPromptFile) {
-      sysTmpPath = path.join(tmpDir, `direct-sys-${id}.md`);
+      sysTmpPath = path.join(llmTmpDir, `direct-sys-${id}.md`);
       fs.writeFileSync(sysTmpPath, sysPromptText);
       cleanupFiles.push(sysTmpPath);
       adapterOpts.sysPromptFile = sysTmpPath;
@@ -369,12 +372,12 @@ function _spawnProcess(promptText, sysPromptText, callOpts) {
     } else {
       try { proc.stdin.write(finalPrompt); proc.stdin.end(); } catch { /* broken pipe */ }
     }
-    return { proc, cleanupFiles };
+    return { proc, cleanupFiles, cleanupDirs };
   }
 
   // Indirect: use spawn-agent.js (when direct=false or binary cache miss)
-  const promptPath = path.join(tmpDir, `${label}-prompt-${id}.md`);
-  const sysPath = path.join(tmpDir, `${label}-sys-${id}.md`);
+  const promptPath = path.join(llmTmpDir, `${label}-prompt-${id}.md`);
+  const sysPath = path.join(llmTmpDir, `${label}-sys-${id}.md`);
   // The wrapper merges sys prompt into the user prompt for runtimes without
   // --system-prompt-file (Copilot) — write the user prompt as `finalPrompt`
   // (system block already prepended by buildPrompt) for those, and just the
@@ -402,7 +405,7 @@ function _spawnProcess(promptText, sysPromptText, callOpts) {
   const proc = runFile(process.execPath, args, {
     cwd: MINIONS_DIR, stdio: ['pipe', 'pipe', 'pipe'], env: cleanChildEnv(),
   });
-  return { proc, cleanupFiles };
+  return { proc, cleanupFiles, cleanupDirs };
 }
 
 // ─── Streaming Accumulator ───────────────────────────────────────────────────
@@ -621,7 +624,7 @@ function callLLM(promptText, sysPromptText, opts = {}) {
   let _abort = null;
   const promise = new Promise((resolve) => {
     const _startMs = Date.now();
-    const { proc, cleanupFiles } = _spawnProcess(promptText, sysPromptText, {
+    const { proc, cleanupFiles, cleanupDirs } = _spawnProcess(promptText, sysPromptText, {
       direct, label, runtime, model, maxTurns, allowedTools, effort, sessionId,
       maxBudget, bare, fallbackModel,
       ...runtimeFeatureOpts,
@@ -657,6 +660,7 @@ function callLLM(promptText, sysPromptText, opts = {}) {
       clearTimeout(timer);
       if (exitFallbackTimer) { clearTimeout(exitFallbackTimer); exitFallbackTimer = null; }
       for (const f of cleanupFiles) safeUnlink(f);
+      for (const d of (cleanupDirs || [])) shared.removeDispatchTmpDir(d);
       const parsed = acc.finalize();
       const durationMs = Date.now() - _startMs;
       const usage = parsed.usage ? { ...parsed.usage, durationMs } : { durationMs };
@@ -694,6 +698,7 @@ function callLLM(promptText, sysPromptText, opts = {}) {
       clearTimeout(timer);
       if (exitFallbackTimer) { clearTimeout(exitFallbackTimer); exitFallbackTimer = null; }
       for (const f of cleanupFiles) safeUnlink(f);
+      for (const d of (cleanupDirs || [])) shared.removeDispatchTmpDir(d);
       shared.log('error', `LLM spawn error (${label}): ${err.message}`);
       resolve({
         text: '', usage: null, sessionId: null, code: 1,
@@ -733,7 +738,7 @@ function callLLMStreaming(promptText, sysPromptText, opts = {}) {
   let _abort = null;
   const promise = new Promise((resolve) => {
     const _startMs = Date.now();
-    const { proc, cleanupFiles } = _spawnProcess(promptText, sysPromptText, {
+    const { proc, cleanupFiles, cleanupDirs } = _spawnProcess(promptText, sysPromptText, {
       direct, label, runtime, model, maxTurns, allowedTools, effort, sessionId,
       maxBudget, bare, fallbackModel,
       ...runtimeFeatureOpts,
@@ -772,6 +777,7 @@ function callLLMStreaming(promptText, sysPromptText, opts = {}) {
       clearTimeout(timer);
       if (exitFallbackTimer) { clearTimeout(exitFallbackTimer); exitFallbackTimer = null; }
       for (const f of cleanupFiles) safeUnlink(f);
+      for (const d of (cleanupDirs || [])) shared.removeDispatchTmpDir(d);
       const parsed = acc.finalize();
       const durationMs = Date.now() - _startMs;
       const usage = parsed.usage ? { ...parsed.usage, durationMs } : { durationMs };
@@ -806,6 +812,7 @@ function callLLMStreaming(promptText, sysPromptText, opts = {}) {
       clearTimeout(timer);
       if (exitFallbackTimer) { clearTimeout(exitFallbackTimer); exitFallbackTimer = null; }
       for (const f of cleanupFiles) safeUnlink(f);
+      for (const d of (cleanupDirs || [])) shared.removeDispatchTmpDir(d);
       shared.log('error', `LLM-stream spawn error (${label}): ${err.message}`);
       resolve({
         text: '', usage: null, sessionId: null, code: 1,

package/engine/meeting.js

@@ -694,6 +694,7 @@ function _killMeetingDispatches(meetingId) {
     const tmpDir = path.join(shared.MINIONS_DIR, 'engine', 'tmp');
     const entriesToStop = [];
     const filesToDelete = [];
+    const dispatchDirsToRemove = [];
     shared.mutateJsonFileLocked(DISPATCH_PATH, (dp) => {
       dp.pending = Array.isArray(dp.pending) ? dp.pending : [];
       dp.active = Array.isArray(dp.active) ? dp.active : [];
@@ -707,10 +708,17 @@ function _killMeetingDispatches(meetingId) {
             continue;
           }
           entriesToStop.push(d);
-          filesToDelete.push(path.join(tmpDir, `pid-${d.id}.pid`));
-          filesToDelete.push(path.join(tmpDir, `prompt-${d.id}.md`));
-          filesToDelete.push(path.join(tmpDir, `sysprompt-${d.id}.md`));
-          filesToDelete.push(path.join(tmpDir, `sysprompt-${d.id}.md.tmp`));
+          // P-f6-tmp-toctou: prefer per-dispatch dir cleanup. Fall back to
+          // legacy individual-file cleanup for entries that pre-date the
+          // per-dispatch-dir layout.
+          if (d.tmpDir && shared.validateDispatchTmpDir(d.tmpDir)) {
+            dispatchDirsToRemove.push(d.tmpDir);
+          } else {
+            filesToDelete.push(path.join(tmpDir, `pid-${d.id}.pid`));
+            filesToDelete.push(path.join(tmpDir, `prompt-${d.id}.md`));
+            filesToDelete.push(path.join(tmpDir, `sysprompt-${d.id}.md`));
+            filesToDelete.push(path.join(tmpDir, `sysprompt-${d.id}.md.tmp`));
+          }
         }
         dp[queue] = kept;
       }
@@ -725,7 +733,7 @@ function _killMeetingDispatches(meetingId) {
     const pidsToKill = [];
     for (const d of entriesToStop) {
       try {
-        const pidFile = path.join(tmpDir, `pid-${d.id}.pid`);
+        const pidFile = shared.findDispatchPidFile(d) || path.join(tmpDir, `pid-${d.id}.pid`);
         const pid = shared.validatePid(fs.readFileSync(pidFile, 'utf8').trim());
         pidsToKill.push(pid);
       } catch { /* pending entries and already-finished agents may not have PID files */ }
@@ -736,6 +744,9 @@ function _killMeetingDispatches(meetingId) {
     for (const fp of filesToDelete) {
       try { fs.unlinkSync(fp); } catch { /* sidecar may not exist */ }
     }
+    for (const dir of dispatchDirsToRemove) {
+      shared.removeDispatchTmpDir(dir);
+    }
 
     if (entriesToStop.length > 0) log('info', `Killed ${entriesToStop.length} meeting dispatch(es) for ${meetingId}`);
     return entriesToStop.length;

package/engine/queries.js

@@ -1527,73 +1527,142 @@ function resetPrdInfoCache() {
 }
 
 // ── Project git status (current branch + dirty/detached) ──────────────────
-// Cached per resolved localPath with a 30s TTL so /api/status doesn't shell
-// out to git on every poll. Mirrors the cache shape used by getDiskVersion in
-// dashboard.js (TTL + cached map). All git invocations pipe stderr to suppress
-// the `fatal: not a git repository` noise on non-git project paths — same
-// requirement enforced for install/boot paths in
+// Cached per resolved localPath with a 5-minute TTL. `getProjectGitStatus` is
+// synchronous (returns the cached value or a pending placeholder) and NEVER
+// blocks the event loop — the actual git probes run asynchronously via
+// child_process.execFile and write back into the cache when they settle. This
+// is critical for /api/status responsiveness: under the previous synchronous
+// implementation, four projects × three git invocations was ~12 sync shell-outs
+// per slow-state rebuild, which on Windows + Defender real-time scanning could
+// block the event loop long enough to starve SSE heartbeats and drop the CC
+// drawer's "Dashboard connection lost". Mirrors the cache shape used by
+// getDiskVersion in dashboard.js (TTL + cached map). All git invocations pipe
+// stderr to suppress the `fatal: not a git repository` noise on non-git project
+// paths — same requirement enforced for install/boot paths in
 // test/unit/runtime-fleet-helpers.test.js:465.
+// Single map keyed by normalized localPath. Each entry holds `{ts, value, promise}`:
+//   ts:      last-settled timestamp (Date.now()), or 0 if never settled
+//   value:   last-settled status object (or PROJECT_GIT_STATUS_PENDING placeholder)
+//   promise: in-flight refresh Promise, or null when idle
+// Folding state + in-flight into one map keeps reads/writes atomic and removes
+// the second-Map sync hazard.
 const _projectGitStatusCache = new Map();
-const PROJECT_GIT_STATUS_TTL = 30000; // 30s
-
+const PROJECT_GIT_STATUS_TTL = 300000; // 5 minutes
+const PROJECT_GIT_STATUS_PENDING = Object.freeze({ gitBranch: null, gitDetached: false, gitDirty: false, gitState: 'pending' });
+const PROJECT_GIT_STATUS_MISSING = Object.freeze({ gitBranch: null, gitDetached: false, gitDirty: false, gitState: 'missing' });
+const PROJECT_GIT_STATUS_NON_GIT = Object.freeze({ gitBranch: null, gitDetached: false, gitDirty: false, gitState: 'non-git' });
+
+// Async git invocation. Promise-returning so getProjectGitStatus can fire
+// background refreshes without blocking the event loop. Pipes stderr to keep
+// `fatal: not a git repository` from leaking to the dashboard console.
 function _gitExec(localPath, args) {
-  const { execFileSync } = require('child_process');
-  return execFileSync('git', ['-C', localPath, ...args], {
-    encoding: 'utf8',
-    timeout: 10000,
-    windowsHide: true,
-    stdio: ['pipe', 'pipe', 'pipe'],
+  const { execFile } = require('child_process');
+  return new Promise((resolve, reject) => {
+    execFile('git', ['-C', localPath, ...args], {
+      encoding: 'utf8',
+      timeout: 10000,
+      windowsHide: true,
+      stdio: ['pipe', 'pipe', 'pipe'],
+    }, (err, stdout) => {
+      if (err) reject(err);
+      else resolve(stdout);
+    });
+  });
+}
+
+// Probe a single project. Returns the resolved status value. Used both by the
+// background refresh path inside getProjectGitStatus and by test code that
+// wants to drive a probe to completion deterministically.
+async function _probeProjectGitStatus(localPath) {
+  try {
+    if (!fs.existsSync(localPath)) return PROJECT_GIT_STATUS_MISSING;
+    let isRepo = false;
+    try {
+      const out = (await _gitExec(localPath, ['rev-parse', '--is-inside-work-tree'])).trim();
+      isRepo = out === 'true';
+    } catch { isRepo = false; }
+    if (!isRepo) return PROJECT_GIT_STATUS_NON_GIT;
+    let branch = null;
+    let detached = false;
+    try {
+      branch = (await _gitExec(localPath, ['rev-parse', '--abbrev-ref', 'HEAD'])).trim() || null;
+    } catch { branch = null; }
+    if (branch === 'HEAD') {
+      detached = true;
+      try { branch = (await _gitExec(localPath, ['rev-parse', '--short', 'HEAD'])).trim() || null; }
+      catch { branch = null; }
+    }
+    let dirty = false;
+    try {
+      const status = await _gitExec(localPath, ['status', '--porcelain', '--untracked-files=no']);
+      dirty = status.length > 0;
+    } catch { dirty = false; }
+    return { gitBranch: branch, gitDetached: detached, gitDirty: dirty, gitState: 'ok' };
+  } catch {
+    // Defensive — never let a git probe failure escape this helper.
+    return PROJECT_GIT_STATUS_MISSING;
+  }
+}
+
+function _scheduleProjectGitStatusRefresh(localPath, key) {
+  const existing = _projectGitStatusCache.get(key);
+  if (existing && existing.promise) return existing.promise;
+  const entry = existing || { ts: 0, value: PROJECT_GIT_STATUS_PENDING, promise: null };
+  entry.promise = _probeProjectGitStatus(localPath).then(value => {
+    entry.ts = Date.now();
+    entry.value = value;
+    entry.promise = null;
+    return value;
+  }, () => {
+    entry.promise = null;
+    return null;
   });
+  _projectGitStatusCache.set(key, entry);
+  return entry.promise;
 }
 
 function getProjectGitStatus(localPath) {
   const key = String(localPath || '').replace(/\\/g, '/');
-  if (!key) return { gitBranch: null, gitDetached: false, gitDirty: false, gitState: 'missing' };
+  if (!key) return PROJECT_GIT_STATUS_MISSING;
   const now = Date.now();
   const cached = _projectGitStatusCache.get(key);
-  if (cached && (now - cached.ts) < PROJECT_GIT_STATUS_TTL) return cached.value;
+  if (cached && cached.ts && (now - cached.ts) < PROJECT_GIT_STATUS_TTL) return cached.value;
+  // Cheap synchronous existsSync — short-circuits a path that just disappeared
+  // (project removed) without scheduling a useless git probe.
+  if (!fs.existsSync(localPath)) {
+    _projectGitStatusCache.set(key, { ts: now, value: PROJECT_GIT_STATUS_MISSING, promise: null });
+    return PROJECT_GIT_STATUS_MISSING;
+  }
+  // Stale or never-populated — kick off a background refresh and return the
+  // previous value (or pending placeholder on the very first call). The next
+  // /api/status response after the refresh settles will have fresh data.
+  _scheduleProjectGitStatusRefresh(localPath, key);
+  return cached ? cached.value : PROJECT_GIT_STATUS_PENDING;
+}
 
-  let value = { gitBranch: null, gitDetached: false, gitDirty: false, gitState: 'missing' };
-  try {
-    if (!fs.existsSync(localPath)) {
-      // missing — cache the negative result
-    } else {
-      let isRepo = false;
-      try {
-        const out = _gitExec(localPath, ['rev-parse', '--is-inside-work-tree']).trim();
-        isRepo = out === 'true';
-      } catch { isRepo = false; }
-      if (!isRepo) {
-        value = { gitBranch: null, gitDetached: false, gitDirty: false, gitState: 'non-git' };
-      } else {
-        let branch = null;
-        let detached = false;
-        try {
-          branch = _gitExec(localPath, ['rev-parse', '--abbrev-ref', 'HEAD']).trim() || null;
-        } catch { branch = null; }
-        if (branch === 'HEAD') {
-          detached = true;
-          try { branch = _gitExec(localPath, ['rev-parse', '--short', 'HEAD']).trim() || null; }
-          catch { branch = null; }
-        }
-        let dirty = false;
-        try {
-          const status = _gitExec(localPath, ['status', '--porcelain', '--untracked-files=no']);
-          dirty = status.length > 0;
-        } catch { dirty = false; }
-        value = { gitBranch: branch, gitDetached: detached, gitDirty: dirty, gitState: 'ok' };
-      }
-    }
-  } catch {
-    // Defensive — never let a git probe failure break /api/status
-    value = { gitBranch: null, gitDetached: false, gitDirty: false, gitState: 'missing' };
+// Force a refresh now and wait for completion. Called from engine boot to
+// pre-warm the cache for every configured project so the first /api/status
+// after restart already has data. Also used by tests to settle the async
+// probe deterministically.
+function warmProjectGitStatus(localPath) {
+  const key = String(localPath || '').replace(/\\/g, '/');
+  if (!key) return Promise.resolve();
+  return _scheduleProjectGitStatusRefresh(localPath, key);
+}
+
+// Wait for every in-flight probe to settle. Test helper.
+function _awaitPendingProjectGitStatusProbes() {
+  const promises = [];
+  for (const entry of _projectGitStatusCache.values()) {
+    if (entry && entry.promise) promises.push(entry.promise);
   }
-  _projectGitStatusCache.set(key, { ts: now, value });
-  return value;
+  return Promise.all(promises);
 }
 
 /** Reset project git-status cache — exported for testing */
-function resetProjectGitStatusCache() { _projectGitStatusCache.clear(); }
+function resetProjectGitStatusCache() {
+  _projectGitStatusCache.clear();
+}
 
 // ── Exports ─────────────────────────────────────────────────────────────────
 
@@ -1610,6 +1679,8 @@ module.exports = {
   resetProjectGitStatusCache,
   invalidateKnowledgeBaseCache,
   getProjectGitStatus,
+  warmProjectGitStatus,
+  _awaitPendingProjectGitStatusProbes,
 
   // Core state
   getConfig, getControl, getDispatch, getDispatchQueue, getDispatchCompletionReport, invalidateDispatchCache,