@yemi33/minions 0.1.1984 → 0.1.1986

package/engine.js

@@ -30,6 +30,7 @@ const { exec, execAsync, execSilent, runFile, ts, ENGINE_DEFAULTS,
   FAILURE_CLASS } = shared;
 const { resolveRuntime } = require('./engine/runtimes');
 const { assertStaleHeadOk } = require('./engine/spawn-agent');
+const adoGitAuth = require('./engine/ado-git-auth');
 const queries = require('./engine/queries');
 
 // ─── Paths ──────────────────────────────────────────────────────────────────
@@ -194,6 +195,64 @@ function parseConflictFiles(mergeOutput) {
   return [...new Set(files)]; // dedupe
 }
 
+// Build the work item used by the dep-merge-failure auto-queue path
+// (W-mpcwojgr000a0244). Routes the conflict-fix through the shared-branch
+// dispatch path (`branchStrategy: 'shared-branch'` + `featureBranch:
+// depConflictBranch`) so spawnAgent's `git worktree add <wt> origin/<branch>`
+// (engine.js:1113) checks out the dep's existing branch directly. Commits land
+// back on that branch via `git push`, the existing PR picks them up, and no
+// redundant fresh-branch PR is opened.
+//
+// Cross-project caveat: the project field is stamped from the blocked item's
+// project. If the dep PR lives in a DIFFERENT project, the agent would still
+// be spawned in the blocked item's worktree root. That is a PRE-EXISTING
+// limitation of the dep-conflict-fix path — single-project plans (the common
+// case, and the trigger scenario P-wi1-bridge-readonly-{a,b,c}) are unaffected.
+function buildDepConflictFixItem({
+  depConflictBranch,
+  depConflictFiles = [],
+  isInterDepConflict = false,
+  preflightConflictPrev = null,
+  mainBranch,
+  blockedItem = null,
+  projectName = null,
+}) {
+  if (!depConflictBranch) throw new Error('buildDepConflictFixItem: depConflictBranch is required');
+  if (!mainBranch) throw new Error('buildDepConflictFixItem: mainBranch is required');
+  const conflictFixId = `conflict-fix-${depConflictBranch.replace(/[^a-zA-Z0-9-]/g, '-')}`;
+  const filesDesc = depConflictFiles.length > 0
+    ? `\n\nConflicting files:\n${depConflictFiles.map(f => '- ' + f).join('\n')}`
+    : '';
+  // Wording is explicit that the agent must push to the SAME branch — the
+  // shared-branch dispatch path puts them directly on `depConflictBranch`, so
+  // a fresh branch / new PR would defeat the whole point of this auto-queue.
+  const conflictFixDesc = isInterDepConflict && preflightConflictPrev
+    ? `Branch \`${depConflictBranch}\` conflicts with dependency branch \`${preflightConflictPrev}\`. Your worktree is already checked out on \`${depConflictBranch}\`. Rebase \`${depConflictBranch}\` onto \`${preflightConflictPrev}\` (or merge \`${preflightConflictPrev}\` into \`${depConflictBranch}\`), resolve conflicts, then \`git push\` to the SAME branch (\`--force-with-lease\` ok after rebase). Do NOT create a new branch and do NOT open a new PR. The existing PR for \`${depConflictBranch}\` will pick up your commits automatically.`
+    : `Branch \`${depConflictBranch}\` conflicts with \`${mainBranch}\`. Your worktree is already checked out on this branch. Merge \`${mainBranch}\` into it, resolve conflicts, then \`git push\` to the SAME branch — do NOT create a new branch and do NOT open a new PR. The existing PR for \`${depConflictBranch}\` will pick up your commits automatically.`;
+  const blockedSuffix = blockedItem
+    ? `\n\nBlocked downstream item: \`${blockedItem.id}\` — ${blockedItem.title || ''}`
+    : '';
+  return {
+    id: conflictFixId,
+    title: `Fix merge conflict: ${depConflictBranch} conflicts with ${isInterDepConflict ? preflightConflictPrev : mainBranch}`,
+    type: WORK_TYPE.FIX,
+    priority: 'high',
+    status: WI_STATUS.PENDING,
+    description: `${conflictFixDesc}${filesDesc}${blockedSuffix}`,
+    created: ts(),
+    createdBy: 'engine:dep-conflict-fix',
+    // Route through the shared-branch dispatch path (engine.js:4629, :4681,
+    // :1113) so the agent operates on the dep's existing branch — pushing
+    // straight into the existing PR instead of opening a new one.
+    branchStrategy: 'shared-branch',
+    featureBranch: depConflictBranch,
+    _branch: depConflictBranch,
+    _blockedItem: blockedItem ? blockedItem.id : null,
+    _isInterDepConflict: !!isInterDepConflict,
+    project: projectName || null,
+  };
+}
+
 // Prune dep branches that are ancestors of other dep branches (#958)
 // When B already contains A's commits, merging both A and B causes conflicts.
 async function pruneAncestorDeps(deps, gitOpts, cwd) {
@@ -527,7 +586,16 @@ async function syncReusedWorktree(rootDir, worktreePath, branchName, gitOpts = {
 async function findExistingWorktree(repoDir, branchName) {
   try {
     const out = await shared.shellSafeGit(['worktree', 'list', '--porcelain'], { cwd: repoDir, timeout: 10000 });
-    const found = shared.parseWorktreePorcelain(out).find(w => w.branch === branchName);
+    // Skip worktrees at or inside `repoDir` itself: the main checkout (always
+    // first in the porcelain output) sits AT repoDir, and nested worktrees
+    // under it would trip assertWorktreeOutsideProject downstream anyway.
+    // Returning either as "reusable" creates an unresolvable preflight
+    // rejection loop when the branch happens to be checked out at the
+    // project root (common when an operator works on the minions repo
+    // locally while the engine tries to review that same branch).
+    const found = shared.parseWorktreePorcelain(out).find(w =>
+      w.branch === branchName && !shared.isPathInsideOrEqual(w.path, repoDir)
+    );
     if (found && fs.existsSync(found.path)) return found.path;
   } catch (e) { log('warn', 'git: ' + e.message); }
   return null;
@@ -816,7 +884,12 @@ async function spawnAgent(dispatchItem, config) {
   let branchName = _preBranchName;
   const worktreeCreateTimeout = Math.max(60000, Number(engineConfig.worktreeCreateTimeout) || ENGINE_DEFAULTS.worktreeCreateTimeout);
   const worktreeCreateRetries = Math.max(0, Math.min(3, Number(engineConfig.worktreeCreateRetries) || ENGINE_DEFAULTS.worktreeCreateRetries));
-  const _gitOpts = { stdio: 'pipe', timeout: 30000, windowsHide: true, env: shared.gitEnv() };
+  // W-mpcuc8i80003a7b3 — for ADO projects, inject a per-invocation
+  // `-c http.<host>.extraHeader=Authorization: Bearer <token>` so headless
+  // git ops survive missing/expired Git Credential Manager state. Returns
+  // [] for GitHub/local projects so this is a no-op there.
+  const _adoGitExtraArgs = adoGitAuth.getAdoGitExtraArgs(project);
+  const _gitOpts = { stdio: 'pipe', timeout: 30000, windowsHide: true, env: shared.gitEnv(), gitExtraArgs: _adoGitExtraArgs };
   const _worktreeGitOpts = { ..._gitOpts, timeout: worktreeCreateTimeout };
 
   // Build the initial prompt before worktree setup, then refresh shared-branch
@@ -862,14 +935,34 @@ async function spawnAgent(dispatchItem, config) {
       : taskPromptWithReport;
   };
   let fullTaskPrompt = buildFullTaskPrompt(taskPrompt);
-  const tmpDir = path.join(ENGINE_DIR, 'tmp');
-  if (!fs.existsSync(tmpDir)) fs.mkdirSync(tmpDir, { recursive: true });
   const safeId = id.replace(/[:\\/*?"<>|]/g, '-');
-  const promptPath = path.join(tmpDir, `prompt-${safeId}.md`);
+  // P-f6-tmp-toctou: per-dispatch unique tmp dir closes the symlink-plant
+  // window on engine/tmp/prompt-<id>.md (mkdtempSync + chmod 0o700). Filename
+  // pattern inside the dir is unchanged so spawn-agent.js's prompt→pid regex
+  // derivation still works.
+  const dispatchTmpDir = shared.createDispatchTmpDir(id);
+  const promptPath = path.join(dispatchTmpDir, `prompt-${safeId}.md`);
   safeWrite(promptPath, fullTaskPrompt);
-  const sysPromptPath = path.join(tmpDir, `sysprompt-${safeId}.md`);
+  const sysPromptPath = path.join(dispatchTmpDir, `sysprompt-${safeId}.md`);
   safeWrite(sysPromptPath, systemPrompt);
-  const _cleanupPromptFiles = () => { safeUnlink(promptPath); safeUnlink(sysPromptPath); };
+  // Stamp the tmpDir on the dispatch entry so cleanup/orphan-reap/kill paths
+  // (dispatch.js, meeting.js, cli.js, cleanup.js, timeout.js) can find the
+  // dir via shared.dispatchPidCandidates / findDispatchPidFile. Best-effort —
+  // backward-compat fallbacks still scan dispatch-<safeId>-* dirs by id.
+  try {
+    dispatchItem.tmpDir = dispatchTmpDir;
+    const dispatchPath = path.join(MINIONS_DIR, 'engine', 'dispatch.json');
+    mutateJsonFileLocked(dispatchPath, (dispatch) => {
+      for (const queue of ['pending', 'active', 'completed']) {
+        const arr = Array.isArray(dispatch?.[queue]) ? dispatch[queue] : null;
+        if (!arr) continue;
+        const found = arr.find(d => d && d.id === id);
+        if (found) found.tmpDir = dispatchTmpDir;
+      }
+      return dispatch;
+    }, { defaultValue: { pending: [], active: [], completed: [] } });
+  } catch (e) { log('warn', `spawnAgent: failed to persist tmpDir for ${id}: ${e.message}`); }
+  const _cleanupPromptFiles = () => { shared.removeDispatchTmpDir(dispatchTmpDir); };
   // Convert a WORKTREE_NESTED_IN_PROJECT throw into a fail-fast non-retryable
   // dispatch failure (W-mp62taw2000ubcc3). The error's `.code` is set by
   // shared.assertWorktreeOutsideProject so we don't have to parse the message.
@@ -1173,6 +1266,12 @@ async function spawnAgent(dispatchItem, config) {
           let depMergeFailed = false;
           let depConflictBranch = null; // track which dep branch caused the conflict
           let depConflictFiles = [];    // conflicting file names parsed from git output
+          // W-mpcuc8i80003a7b3 — track whether ANY git op in the dep phase
+          // failed with an ADO auth signature. If so, we escalate as
+          // FAILURE_CLASS.AUTH (non-retryable + dedup'd inbox alert) instead
+          // of FAILURE_CLASS.MERGE_CONFLICT (which retries 3x against the
+          // same broken auth path).
+          let _depAuthFailed = false;
           // Fetch all dependency branches in parallel (git fetches are independent)
           const fetchable = depBranches.filter(d => !_failedRefCache.has(d.branch));
           const unfetchable = depBranches.filter(d => _failedRefCache.has(d.branch));
@@ -1188,7 +1287,10 @@ async function spawnAgent(dispatchItem, config) {
           }
           const fetchResults = await Promise.allSettled(
             fetchable.map(({ branch: depBranch }) =>
-              shared.shellSafeGit(['fetch', 'origin', depBranch], { ..._gitOpts, cwd: rootDir }).then(() => depBranch)
+              // runAdoGit for ADO projects auto-retries once on auth failure
+              // with a refreshed bearer token (handles mid-dispatch expiry).
+              // For non-ADO projects it's a thin pass-through to shellSafeGit.
+              adoGitAuth.runAdoGit(project, ['fetch', 'origin', depBranch], { ..._gitOpts, cwd: rootDir }).then(() => depBranch)
             )
           );
           const hasFetchFailures = fetchResults.some(r => r.status === 'rejected');
@@ -1221,6 +1323,12 @@ async function spawnAgent(dispatchItem, config) {
               }
               _failedRefCache.add(failedBranch);
               log('warn', `Failed to fetch dependency ${failedBranch}: ${errMsg}`);
+              // W-mpcuc8i80003a7b3 — detect ADO bearer-token / GCM credential
+              // failures so we escalate as FAILURE_CLASS.AUTH below instead of
+              // mis-classifying as a merge conflict and burning 3 retries.
+              if (adoGitAuth.isAdoAuthFailure(fetchResults[i].reason)) {
+                _depAuthFailed = true;
+              }
               depMergeFailed = true;
             }
           }
@@ -1302,6 +1410,11 @@ async function spawnAgent(dispatchItem, config) {
                 // Merge failed — possibly due to diverged history from a force-pushed (rebased) dep branch.
                 // Abort partial merge, reset worktree to clean main base, and re-merge all deps from scratch.
                 log('warn', `Merge of ${depBranch} into ${branchName} failed: ${mergeErr.message} — attempting reset and re-merge of all deps`);
+                // W-mpcuc8i80003a7b3 — defense in depth. `git merge origin/<dep>`
+                // is local so an auth failure here is unexpected, but mark the
+                // flag so the final dispatch failure routes through the AUTH
+                // path instead of MERGE_CONFLICT.
+                if (adoGitAuth.isAdoAuthFailure(mergeErr)) _depAuthFailed = true;
                 try { await shared.shellSafeGit(['merge', '--abort'], { ..._gitOpts, cwd: worktreePath }); } catch (_) { /* no merge in progress */ }
                 const mainRef = sanitizeBranch(shared.resolveMainBranch(rootDir, project.mainBranch));
                 try {
@@ -1316,6 +1429,7 @@ async function spawnAgent(dispatchItem, config) {
                 } catch (resetErr) {
                   const errOutput = (resetErr.message || '') + '\n' + (resetErr.stdout?.toString?.() || '') + '\n' + (resetErr.stderr?.toString?.() || '');
                   log('warn', `Failed to reset and re-merge deps for ${branchName}: ${resetErr.message}`);
+                  if (adoGitAuth.isAdoAuthFailure(resetErr)) _depAuthFailed = true;
                   try { await shared.shellSafeGit(['merge', '--abort'], { ..._gitOpts, cwd: worktreePath }); } catch (_) { /* no merge in progress */ }
                   // Post-mortem: incremental simulation to identify which dep caused the conflict (#958)
                   // Uses same chained merge-tree approach as pre-flight to catch inter-dep conflicts
@@ -1366,6 +1480,58 @@ async function spawnAgent(dispatchItem, config) {
           _phaseT.depMergeEnd = Date.now();
           if (depMergeFailed) {
             _cleanupPromptFiles();
+            // W-mpcuc8i80003a7b3 — short-circuit to AUTH classification when any
+            // git op in the dep phase looked like an ADO credential failure.
+            // This BYPASSES the merge-conflict path entirely: no retries (auth
+            // is structural — re-running won't fix missing az / GCM creds),
+            // no conflict-fix WI (would just re-trigger the same auth wall),
+            // and a single dedup'd inbox alert pointing at the recovery steps.
+            if (_depAuthFailed) {
+              const projName = project.name || 'unknown';
+              const authFailReason = `ADO git authentication failed for project ${projName}: dependency fetch could not authenticate to origin (likely missing/expired az CLI token, no cached GCM credentials, or token broker unavailable in headless context)`;
+              try {
+                writeInboxAlert(`ado-auth-${projName}`, [
+                  `# ADO git authentication failed — ${projName}`,
+                  '',
+                  `Work item: \`${meta?.item?.id || '(unknown)'}\``,
+                  `Branch: \`${branchName || '(unknown)'}\``,
+                  '',
+                  '## Symptom',
+                  '',
+                  'Engine could not fetch dependency branches from the ADO origin. ',
+                  'Git Credential Manager has no cached credentials and falls back to ',
+                  'a TTY prompt, which the headless engine cannot satisfy:',
+                  '',
+                  '```',
+                  "fatal: could not read Username for 'https://<adoOrg>.visualstudio.com'",
+                  '```',
+                  '',
+                  '## Recovery',
+                  '',
+                  'From an interactive shell on the engine host, refresh ADO credentials:',
+                  '',
+                  '```bash',
+                  '# Option A — Azure CLI (preferred)',
+                  'az login',
+                  'az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 --query accessToken -o tsv',
+                  '',
+                  '# Option B — azureauth (corp environments)',
+                  'azureauth ado token --mode iwa --mode broker --output token --timeout 1',
+                  '```',
+                  '',
+                  'Once a valid token can be acquired, the engine will pick it up automatically on the next tick (30-min cache + 10-min acquire backoff).',
+                  '',
+                  '## Why no auto-retry',
+                  '',
+                  'This dispatch is failed as `FAILURE_CLASS.AUTH` (non-retryable). Mechanical retry would burn slots against the same broken credential path. After you fix the credentials, manually retry the work item via the dashboard or `/api/work-items/retry`.',
+                ].join('\n'));
+              } catch (alertErr) {
+                log('warn', `Failed to write ADO auth inbox alert: ${alertErr.message}`);
+              }
+              completeDispatch(id, DISPATCH_RESULT.ERROR, authFailReason, '', { failureClass: FAILURE_CLASS.AUTH, agentRetryable: false });
+              cleanupTempAgent(agentId);
+              return;
+            }
             // Build actionable failReason identifying the conflicting branch and files (#958)
             const mainBranch = sanitizeBranch(shared.resolveMainBranch(rootDir, project.mainBranch));
             let failReason = 'Dependency merge failed';
@@ -1380,39 +1546,29 @@ async function spawnAgent(dispatchItem, config) {
             }
             completeDispatch(id, DISPATCH_RESULT.ERROR, failReason, '', { failureClass: FAILURE_CLASS.MERGE_CONFLICT });
 
-            // Auto-queue conflict-fix work item when a specific dep branch is identified
+            // Auto-queue conflict-fix work item when a specific dep branch is identified.
+            // Routes through the shared-branch dispatch path (see buildDepConflictFixItem)
+            // so commits land on the dep's existing PR branch (W-mpcwojgr000a0244).
             if (depConflictBranch && meta?.item?.id && project) {
               try {
                 const wiPath = project.name
                   ? projectWorkItemsPath(project)
                   : path.join(MINIONS_DIR, 'work-items.json');
-                const conflictFixId = `conflict-fix-${depConflictBranch.replace(/[^a-zA-Z0-9-]/g, '-')}`;
-                const filesDesc = depConflictFiles.length > 0
-                  ? `\n\nConflicting files:\n${depConflictFiles.map(f => '- ' + f).join('\n')}`
-                  : '';
-                // Inter-dep conflict: rebase onto the conflicting dep; dep-vs-main: merge main (#958)
-                const conflictFixDesc = _isInterDepConflict && _preflightConflictPrev
-                  ? `Branch \`${depConflictBranch}\` conflicts with dependency branch \`${_preflightConflictPrev}\`. Rebase \`${depConflictBranch}\` onto \`${_preflightConflictPrev}\` (or merge \`${_preflightConflictPrev}\` into \`${depConflictBranch}\`) and resolve conflicts, then push.`
-                  : `Branch \`${depConflictBranch}\` conflicts with \`${mainBranch}\`. Merge ${mainBranch} into the branch and resolve conflicts, then push.`;
+                const newItem = buildDepConflictFixItem({
+                  depConflictBranch,
+                  depConflictFiles,
+                  isInterDepConflict: _isInterDepConflict,
+                  preflightConflictPrev: _preflightConflictPrev,
+                  mainBranch,
+                  blockedItem: meta.item,
+                  projectName: project.name || null,
+                });
                 mutateWorkItems(wiPath, items => {
                   // Don't create duplicate conflict-fix items
-                  const existing = items.find(i => i.id === conflictFixId && i.status !== WI_STATUS.DONE && i.status !== WI_STATUS.FAILED && i.status !== WI_STATUS.CANCELLED);
+                  const existing = items.find(i => i.id === newItem.id && i.status !== WI_STATUS.DONE && i.status !== WI_STATUS.FAILED && i.status !== WI_STATUS.CANCELLED);
                   if (existing) return;
-                  items.push({
-                    id: conflictFixId,
-                    title: `Fix merge conflict: ${depConflictBranch} conflicts with ${_isInterDepConflict ? _preflightConflictPrev : mainBranch}`,
-                    type: WORK_TYPE.FIX,
-                    priority: 'high',
-                    status: WI_STATUS.PENDING,
-                    description: `${conflictFixDesc}${filesDesc}\n\nBlocked downstream item: \`${meta.item.id}\` — ${meta.item.title || ''}`,
-                    created: ts(),
-                    createdBy: 'engine:dep-conflict-fix',
-                    _branch: depConflictBranch,
-                    _blockedItem: meta.item.id,
-                    _isInterDepConflict: _isInterDepConflict || false,
-                    project: project.name || null,
-                  });
-                  log('info', `Auto-queued conflict-fix work item ${conflictFixId} for ${depConflictBranch} (blocked: ${meta.item.id})`);
+                  items.push(newItem);
+                  log('info', `Auto-queued conflict-fix work item ${newItem.id} for ${depConflictBranch} (blocked: ${meta.item.id})`);
                 });
               } catch (e) { log('warn', `Failed to auto-queue conflict-fix: ${e.message}`); }
             }
@@ -1707,6 +1863,9 @@ async function spawnAgent(dispatchItem, config) {
     if (pidFilePath) {
       try { safeUnlink(pidFilePath); } catch { /* may not exist yet */ }
     }
+    // P-f6-tmp-toctou: rm the per-dispatch tmp dir too so prompt/sysprompt
+    // sidecars don't leak when runFile throws before onAgentClose can run.
+    try { _cleanupPromptFiles(); } catch { /* cleanup is best-effort */ }
     cleanupTempAgent(agentId);
     throw spawnErr;
   }
@@ -1847,7 +2006,7 @@ async function spawnAgent(dispatchItem, config) {
       const pendingForResume = steering.buildPendingSteeringPrompt(agentId);
       const steerPromptBody = pendingForResume.prompt || steerMsg;
       const steerPrompt = `Message from your human teammate:\n\n${steerPromptBody}\n\nRespond to this, then continue working on your current task.`;
-      const steerPromptPath = path.join(ENGINE_DIR, 'tmp', `prompt-steer-${safeId}.md`);
+      const steerPromptPath = path.join(dispatchTmpDir, `prompt-steer-${safeId}.md`);
       try { safeWrite(steerPromptPath, steerPrompt); } catch (e) {
         log('warn', `Steering: failed to write prompt for ${agentId}: ${e.message}`);
         try { fs.appendFileSync(liveOutputPath, `\n[steering-failed] Could not write prompt. Message was: ${steerMsg}\n`); } catch {}
@@ -2705,10 +2864,11 @@ async function spawnAgent(dispatchItem, config) {
       } catch (e) { log('warn', `keep-processes acceptance: failed to set _pendingReason: ${e.message}`); }
     }
 
-    // Cleanup temp files (including PID file now that dispatch is complete)
-    try { fs.unlinkSync(sysPromptPath); } catch { /* cleanup */ }
-    try { fs.unlinkSync(promptPath); } catch { /* cleanup */ }
-    try { fs.unlinkSync(promptPath.replace(/prompt-/, 'pid-').replace(/\.md$/, '.pid')); } catch { /* cleanup */ }
+    // Cleanup temp files (whole per-dispatch dir, including PID/sysprompt
+    // tmp/prompt — P-f6-tmp-toctou). removeDispatchTmpDir validates the path
+    // resolves under engine/tmp/dispatch-* before rmSync, so a corrupted
+    // dispatch.json field can't redirect this to an arbitrary path.
+    try { shared.removeDispatchTmpDir(dispatchTmpDir); } catch { /* cleanup */ }
 
     log('info', `Agent ${agentId} completed. Output saved to ${archivePath}`);
 
@@ -3981,16 +4141,24 @@ async function discoverFromPrs(config, project) {
       const currentHeadSha = String(pr.headSha || pr._adoSourceCommit || pr._adoHeadCommit || '').trim();
       const lastHumanDispatch = pr._lastDispatchByCause?.[shared.PR_FIX_CAUSE.HUMAN_FEEDBACK];
       const currentCommentId = String(pr.humanFeedback?.lastProcessedCommentId || '');
-      if (lastHumanDispatch?.outcome === 'noop'
+      // Issue #2632: this same-head/same-comment guard MUST be cause-local. A
+      // previous `continue` here aborted the whole PR iteration and starved
+      // the build-failure / re-review / conflict-fix evaluation blocks below
+      // (live repro on ADO PR `office-bohemia#5215610`: had `buildStatus=failing`
+      // + `buildFailureSignature` but no `build-fix-*` dispatch was ever
+      // queued). Skip only the human-feedback dispatch path; leave
+      // `fixDispatched=false` so downstream causes are still evaluated.
+      const skipHumanFeedback = !!(lastHumanDispatch?.outcome === 'noop'
         && lastHumanDispatch.headSha
         && currentHeadSha
         && lastHumanDispatch.headSha === currentHeadSha
         && lastHumanDispatch.lastProcessedCommentId
         && currentCommentId
-        && lastHumanDispatch.lastProcessedCommentId === currentCommentId) {
+        && lastHumanDispatch.lastProcessedCommentId === currentCommentId);
+      if (skipHumanFeedback) {
         log('info', `Skipping human-feedback fix for ${pr.id}: last human-feedback dispatch was noop on the same head ${currentHeadSha.slice(0, 8)} and same comment ${currentCommentId.slice(0, 32)} (${(lastHumanDispatch.reason || '').slice(0, 120)})`);
-        continue;
       }
+      if (!skipHumanFeedback) {
       const key = humanFixKey;
       if (isPrAutomationCauseHandledOrPending(project, pr, humanCauseKey)) continue;
       let staleCoalesced = [];
@@ -4035,6 +4203,7 @@ async function discoverFromPrs(config, project) {
         review_note: reviewNote,
       }, `Fix ${pr.id}: ${pr.title || ''} — human feedback`, { dispatchKey: key, automationCauseKey: humanCauseKey, source: 'pr-human-feedback', pr, branch: prBranch, project: projMeta });
       if (item) { newWork.push(item); fixDispatched = true; }
+      } // end if (!skipHumanFeedback) — cause-local guard for #2632
     }
 
     // Re-review after fix: trigger when a fix was pushed after the last minions review,
@@ -4150,13 +4319,18 @@ async function discoverFromPrs(config, project) {
       // a new commit landed (live repro on PR #2433).
       const currentHeadSha = String(pr.headSha || pr._adoSourceCommit || pr._adoHeadCommit || '').trim();
       const lastBuildDispatch = pr._lastDispatchByCause?.[shared.PR_FIX_CAUSE.BUILD_FAILURE];
-      if (lastBuildDispatch?.outcome === 'noop'
+      // Issue #2632 audit: cause-local guard. A previous `continue` here
+      // aborted the whole PR iteration and starved the conflict-fix block
+      // below — symmetric to the human-feedback bug. Skip only the build-fix
+      // dispatch path; downstream merge-conflict resolution must still run.
+      const skipBuildFix = !!(lastBuildDispatch?.outcome === 'noop'
         && lastBuildDispatch.headSha
         && currentHeadSha
-        && lastBuildDispatch.headSha === currentHeadSha) {
+        && lastBuildDispatch.headSha === currentHeadSha);
+      if (skipBuildFix) {
         log('info', `Skipping build-fix for ${pr.id}: last build-failure dispatch was noop on the same head ${currentHeadSha.slice(0, 8)} (${(lastBuildDispatch.reason || '').slice(0, 120)})`);
-        continue;
       }
+      if (!skipBuildFix) {
       const buildCauseKey = getPrAutomationCauseKey('build', pr);
       const key = getPrAutomationDispatchKey(`build-fix-${project?.name || 'default'}-${prDisplayId}`, buildCauseKey);
       if (isPrAutomationCauseHandledOrPending(project, pr, buildCauseKey)) continue;
@@ -4245,6 +4419,7 @@ async function discoverFromPrs(config, project) {
           });
         } catch (e) { log('warn', 'mark build fail notified: ' + e.message); }
       }
+      } // end if (!skipBuildFix) — cause-local guard for #2632 audit
     }
 
     // PRs with merge conflicts — dispatch fix to resolve (gated by provider polling + autoFixConflicts)
@@ -4886,10 +5061,19 @@ function materializeSpecsAsWorkItems(config, project) {
   let recentSpecs = [];
   for (const pattern of filePatterns) {
     try {
-      const result = exec(
-        `git log --diff-filter=AM --name-only --pretty=format:"COMMIT:%H|%s" --since="${sinceDate}" -- "${pattern}"`,
-        { cwd: root, encoding: 'utf8', timeout: 10000 }
-      ).trim();
+      // P-f7-git-log: argv form via execFileSync (shell:false) so file patterns
+      // from operator config.json reach git as literal pathspec args, never as
+      // shell tokens. Spread the pattern after the '--' pathspec separator.
+      const args = [
+        'log',
+        '--diff-filter=AM',
+        '--name-only',
+        '--pretty=format:COMMIT:%H|%s',
+        `--since=${sinceDate}`,
+        '--',
+        pattern,
+      ];
+      const result = shared.shellSafeGitSync(args, { cwd: root, timeout: 10000 }).trim();
       if (!result) continue;
 
       let currentCommit = null;
@@ -5724,12 +5908,15 @@ async function tickInner() {
     process.exit(0);
   }
 
-  // Write heartbeat so dashboard can detect stale engine
-  try { mutateControl(c => ({ ...c, heartbeat: Date.now() })); } catch (e) { log('warn', 'write heartbeat: ' + e.message); }
+  // W-mpcyvff6000pf828 (#2653) — control.heartbeat is written by a dedicated
+  // 15s interval in engine/cli.js (createHeartbeatWriter), decoupled from
+  // tickInner so a slow tick (cold runtime spawn, sequential PR polls, slow
+  // worktree create) cannot starve heartbeats and flip the dashboard to STALE
+  // on an otherwise healthy engine.
 
   // P-c2e5a1d9-a — Initial wiring guard: bail immediately if a force-release
-  // reclaimed our lock while the heartbeat write was in flight. Per-phase
-  // guards inside the rest of tickInner are sub-task -b's scope.
+  // reclaimed our lock while the startup control-state read was in flight.
+  // Per-phase guards inside the rest of tickInner are sub-task -b's scope.
   if (_isTickStale(myGeneration)) return;
 
   const config = getConfig();
@@ -6394,14 +6581,17 @@ module.exports = {
   // Discovery
   discoverWork, discoverFromPrs, discoverFromWorkItems, discoverCentralWorkItems,
   materializePlansAsWorkItems,
+  materializeSpecsAsWorkItems, // exported for testing (P-f7-git-log)
   reservePrdFilename, // exported for testing (P-9b7e5d3c)
   sweepStaleArchivedPrdBackups, // exported for testing
 
   // Shared helpers (used by lifecycle.js and tests)
   reconcileItemsWithPrs, detectDependencyCycles,
   parseConflictFiles, pruneAncestorDeps, preflightMergeSimulation, // exported for testing
+  buildDepConflictFixItem, // exported for testing (W-mpcwojgr000a0244)
   isWorktreeRetryableError, removeStaleIndexLock, syncReusedWorktree, assertCleanSharedWorktree, // exported for testing
   pruneStaleWorktreeForBranch, // exported for testing
+  findExistingWorktree, // exported for testing
   _maxTurnsForType, buildProjectContext, normalizeAc, _buildAgentSpawnFlags, _classifyAgentFailure, // exported for testing
   promoteCheckpointSteeringForClose, // exported for testing
   normalizePrBranch, resolvePrBranch, prCausePart, getPrCauseHead, getPrCauseBase, getPrAutomationCauseKey, getPrAutomationDispatchKey, // exported for testing

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@yemi33/minions",
-  "version": "0.1.1984",
+  "version": "0.1.1986",
   "description": "Multi-agent AI dev team that runs from ~/.minions/ — five autonomous agents share a single engine, dashboard, and knowledge base",
   "bin": {
     "minions": "bin/minions.js"