@yemi33/minions 0.1.1985 → 0.1.1987

package/engine/cli.js

@@ -57,7 +57,9 @@ function dispatchSafeId(itemId) {
 }
 
 function readDispatchPid(itemId) {
-  const pidFile = path.join(ENGINE_DIR, 'tmp', `pid-${dispatchSafeId(itemId)}.pid`);
+  // P-f6-tmp-toctou: prefer per-dispatch dir layout, fall back to legacy flat.
+  const pidFile = shared.findDispatchPidFile(itemId);
+  if (!pidFile) return null;
   let raw;
   try { raw = fs.readFileSync(pidFile, 'utf8').trim(); }
   catch { return null; }
@@ -188,6 +190,7 @@ const CLI_COMMAND_DOCS = Object.freeze({
   doctor:     { args: '',                      summary: 'Check prerequisites and runtime health' },
   config:     { args: 'set-cli <R> [--model M]', summary: 'Persist defaultCli/defaultModel without starting' },
   pr:         { args: 'comment <repo> <prNumber> --agent <id> --kind <k> [--wi <id>] [--body-file <f>|--body <text>]', summary: 'Post a marker-prepended PR comment via gh' },
+  bridge:     { args: 'status|health|enable|disable',         summary: 'Constellation bridge: toggle and inspect the read-only cross-repo feed' },
 });
 
 function formatCliCommandHelpLines() {
@@ -1567,13 +1570,10 @@ const commands = {
     const shared = require('./shared');
 
     // Kill processes via PID files (expensive — outside dispatch lock).
-    // PID files live in engine/tmp/ (see engine/spawn-agent.js:220 — derived from
-    // the prompt-<id>.md sidecar path that engine.js builds in engine/tmp/).
-    // Reading from ENGINE_DIR directly is a no-op: spawn-agent never writes there.
-    const pidDir = path.join(ENGINE_DIR, 'tmp');
-    const pidFiles = shared.safeReadDir(pidDir).filter(f => f.startsWith('pid-') && f.endsWith('.pid'));
-    for (const f of pidFiles) {
-      const pidPath = path.join(pidDir, f);
+    // PID files live in engine/tmp/ — both legacy flat layout
+    // (`pid-<id>.pid`) and per-dispatch dirs (`dispatch-<id>-XXX/pid-<id>.pid`)
+    // post-P-f6-tmp-toctou. shared.forEachPidFile visits both.
+    shared.forEachPidFile((pidPath, fileName, layout) => {
       const raw = safeRead(pidPath).trim();
       // Guard against falsy/zero/NaN PIDs. Empty pid files would resolve to
       // Number('') === 0, and process.kill(0) on POSIX targets the entire
@@ -1581,13 +1581,17 @@ const commands = {
       let pidNum = NaN;
       try { pidNum = shared.validatePid(raw); } catch { /* invalid — skip */ }
       if (pidNum > 0) {
-        try { process.kill(pidNum); console.log(`Killed process ${pidNum} (${f})`); }
+        try { process.kill(pidNum); console.log(`Killed process ${pidNum} (${fileName})`); }
         catch { console.log(`Process ${pidNum} already dead`); }
       } else {
-        console.log(`Skipping ${f}: invalid or empty PID`);
+        console.log(`Skipping ${fileName}: invalid or empty PID`);
       }
-      try { fs.unlinkSync(pidPath); } catch { /* may not exist */ }
-    }
+      if (layout === 'dispatch-dir') {
+        try { shared.removeDispatchTmpDir(path.dirname(pidPath)); } catch { /* may not exist */ }
+      } else {
+        try { fs.unlinkSync(pidPath); } catch { /* may not exist */ }
+      }
+    });
 
     // Atomically read and clear dispatch.active (locked read-modify-write)
     let killed = [];
@@ -1815,6 +1819,116 @@ const commands = {
       console.error(`error: ${e.message}`);
       process.exit(1);
     }
+  },
+
+  // `minions bridge <subcommand>` — Constellation read-only bridge surface.
+  // Owns the on/off flag and the marker-file projection used by the
+  // Constellation agent. Bridge polling logic itself lives in the
+  // Constellation repo (P-wi1-bridge-readonly).
+  //
+  // Subcommands:
+  //   status   Print enabled flag + last-seen Constellation agent timestamp.
+  //   health   Probe http://127.0.0.1:7331/api/status and print the same
+  //            curated projection the Constellation bridge would consume.
+  //   enable   Atomically set engine.constellationBridge.enabled = true.
+  //   disable  Atomically set engine.constellationBridge.enabled = false.
+  bridge(subcmd, ...rest) {
+    const bridge = require('./bridge');
+    const BRIDGE_USAGE = 'Usage: minions bridge <status|health|enable|disable>';
+
+    if (!subcmd || subcmd === 'help' || subcmd === '--help' || subcmd === '-h') {
+      console.log(BRIDGE_USAGE);
+      console.log('');
+      console.log('  status   Show enabled flag + last-seen Constellation agent timestamp');
+      console.log('  health   Probe http://127.0.0.1:7331/api/status and print bridge projection');
+      console.log('  enable   Set engine.constellationBridge.enabled = true');
+      console.log('  disable  Set engine.constellationBridge.enabled = false');
+      return;
+    }
+
+    if (rest.length > 0) {
+      console.error(`error: unexpected arguments after bridge ${subcmd}: ${rest.join(' ')}`);
+      process.exit(2);
+    }
+
+    if (subcmd === 'enable' || subcmd === 'disable') {
+      const enabled = subcmd === 'enable';
+      const { previous, current } = bridge.setBridgeEnabled(enabled);
+      const verb = previous === current ? 'already' : 'now';
+      console.log(`bridge: ${verb} ${current ? 'enabled' : 'disabled'}`);
+      console.log('  config: engine.constellationBridge.enabled = ' + current);
+      if (!previous && current) {
+        console.log('  note: Constellation-side bridge must also be enabled to project state.');
+      }
+      return;
+    }
+
+    if (subcmd === 'status') {
+      const config = getConfig();
+      const enabled = bridge.isBridgeEnabled(config);
+      console.log(`bridge: ${enabled ? 'enabled' : 'disabled'}`);
+      console.log('  config: engine.constellationBridge.enabled = ' + enabled);
+      const marker = bridge.readBridgeMarker();
+      if (!marker) {
+        console.log('  marker: no Constellation agent has registered yet');
+        console.log(`  (expected at ${bridge.CONSTELLATION_BRIDGE_MARKER_PATH})`);
+      } else {
+        console.log(`  last seen: ${bridge.formatRelativeAge(marker.lastSeenAt)} (${marker.lastSeenAt})`);
+        if (marker.agentVersion) console.log(`  agent version: ${marker.agentVersion}`);
+        if (marker.source) console.log(`  source: ${marker.source}`);
+      }
+      return;
+    }
+
+    if (subcmd === 'health') {
+      const http = require('http');
+      const req = http.get(
+        { hostname: '127.0.0.1', port: 7331, path: '/api/status', timeout: 5000 },
+        (res) => {
+          let body = '';
+          res.setEncoding('utf8');
+          res.on('data', (chunk) => { body += chunk; });
+          res.on('end', () => {
+            if (res.statusCode !== 200) {
+              console.error(`error: dashboard returned HTTP ${res.statusCode}`);
+              process.exit(1);
+            }
+            let parsed;
+            try { parsed = JSON.parse(body); }
+            catch (e) {
+              console.error(`error: dashboard response was not JSON: ${e.message}`);
+              process.exit(1);
+            }
+            const projection = bridge.projectStatusForBridge(parsed);
+            if (!projection) {
+              console.error('error: dashboard /api/status returned an unexpected shape');
+              process.exit(1);
+            }
+            console.log('bridge: dashboard reachable on http://127.0.0.1:7331');
+            console.log('  projection (same fields the Constellation bridge would read):');
+            for (const [k, v] of Object.entries(projection)) {
+              console.log(`    ${k}: ${v === null ? '(unknown)' : v}`);
+            }
+          });
+        }
+      );
+      req.on('timeout', () => {
+        req.destroy(new Error('connect timeout'));
+      });
+      req.on('error', (err) => {
+        if (err.code === 'ECONNREFUSED') {
+          console.error('error: dashboard not running on :7331 — start it with `minions dash`');
+        } else {
+          console.error(`error: ${err.message}`);
+        }
+        process.exit(1);
+      });
+      return;
+    }
+
+    console.error(`Unknown bridge subcommand: ${subcmd}`);
+    console.error(BRIDGE_USAGE);
+    process.exit(2);
   }
 };
 

package/engine/dispatch.js

@@ -823,6 +823,7 @@ function cleanDispatchEntries(matchFn) {
   let removed = 0;
   const pidsToKill = [];
   const filesToDelete = [];
+  const dispatchDirsToRemove = [];
   try {
     mutateJsonFileLocked(dispatchPath, (dispatch) => {
       for (const queue of ['pending', 'active', 'completed']) {
@@ -831,17 +832,26 @@ function cleanDispatchEntries(matchFn) {
         if (queue === 'active') {
           for (const d of dispatch[queue]) {
             if (!matchFn(d)) continue;
-            // PID files live in engine/tmp/ (see engine/spawn-agent.js:220 — derived
-            // from the prompt-<id>.md path that engine.js builds in engine/tmp/).
-            const pidFile = path.join(tmpDir, `pid-${d.id}.pid`);
-            try {
-              const pid = parseInt(fs.readFileSync(pidFile, 'utf8').trim());
-              if (pid) pidsToKill.push(pid);
-            } catch { /* PID file may not exist */ }
-            filesToDelete.push(pidFile);
-            filesToDelete.push(path.join(tmpDir, `prompt-${d.id}.md`));
-            filesToDelete.push(path.join(tmpDir, `sysprompt-${d.id}.md`));
-            filesToDelete.push(path.join(tmpDir, `sysprompt-${d.id}.md.tmp`));
+            // P-f6-tmp-toctou: prefer the dispatch's recorded tmpDir. Fall
+            // back to legacy flat layout for active dispatches that pre-date
+            // the per-dispatch-dir layout. shared.findDispatchPidFile honors
+            // the same resolution order so we agree on which PID to kill.
+            const pidPath = shared.findDispatchPidFile(d);
+            if (pidPath) {
+              try {
+                const pid = parseInt(fs.readFileSync(pidPath, 'utf8').trim());
+                if (pid) pidsToKill.push(pid);
+              } catch { /* PID file may not exist */ }
+            }
+            if (d.tmpDir && shared.validateDispatchTmpDir(d.tmpDir)) {
+              dispatchDirsToRemove.push(d.tmpDir);
+            } else {
+              // Legacy individual-file cleanup for pre-migration entries.
+              filesToDelete.push(path.join(tmpDir, `pid-${d.id}.pid`));
+              filesToDelete.push(path.join(tmpDir, `prompt-${d.id}.md`));
+              filesToDelete.push(path.join(tmpDir, `sysprompt-${d.id}.md`));
+              filesToDelete.push(path.join(tmpDir, `sysprompt-${d.id}.md.tmp`));
+            }
           }
         }
         dispatch[queue] = dispatch[queue].filter(d => !matchFn(d));
@@ -865,6 +875,9 @@ function cleanDispatchEntries(matchFn) {
   for (const fp of filesToDelete) {
     try { fs.unlinkSync(fp); } catch { /* may not exist */ }
   }
+  for (const dir of dispatchDirsToRemove) {
+    shared.removeDispatchTmpDir(dir);
+  }
   return removed;
 }
 

package/engine/github.js

@@ -35,6 +35,29 @@ function _setExecAsyncForTest(fn) {
   _execAsyncOverride = (typeof fn === 'function') ? fn : null;
 }
 
+// P-f2-gh-shell (F2): parallel test seam for argv-form (shellSafeGh) shell-outs.
+// The legacy `_runExec` seam intercepts shell-string `gh api ...` invocations,
+// but the F2 conversion routes ghApi / build-log fetch / dismiss-review through
+// shared.shellSafeGh (execFile, shell:false). New tests can mock at the argv
+// level via `_setShellSafeGhForTest`; pre-existing tests that mock the shell-string
+// layer keep working because `_runShellSafeGh` falls back to the legacy override
+// by synthesizing a cmd string from argv (quoting any non-trivial argument so
+// existing `/"repos\/owner\/repo"$/`-style route patterns still match).
+let _shellSafeGhOverride = null;
+function _runShellSafeGh(args, opts) {
+  if (_shellSafeGhOverride) return _shellSafeGhOverride(args, opts);
+  if (_execAsyncOverride) {
+    const cmd = ['gh', ...args]
+      .map(a => /^[A-Za-z0-9_=.-]+$/.test(String(a)) ? String(a) : `"${String(a)}"`)
+      .join(' ');
+    return _execAsyncOverride(cmd, opts);
+  }
+  return shared.shellSafeGh(args, opts);
+}
+function _setShellSafeGhForTest(fn) {
+  _shellSafeGhOverride = (typeof fn === 'function') ? fn : null;
+}
+
 // ─── Constants ──────────────────────────────────────────────────────────────
 
 // 10 MB — prevents maxBuffer exceeded errors on repos with many open PRs.
@@ -270,11 +293,15 @@ const GH_NOT_FOUND = Object.freeze({ _notFound: true });
  */
 async function ghApi(endpoint, slug, opts = {}) {
   try {
-    const paginateFlag = opts.paginate ? ' --paginate' : '';
-    const cmd = `gh api${paginateFlag} "repos/${slug}${endpoint}"`;
+    // P-f2-gh-shell (F2): argv form via shellSafeGh — eliminates shell
+    // interpolation of slug/endpoint. validateGhSlug + validateGhEndpoint
+    // reject shell metacharacters before they reach child_process.
+    const args = ['api'];
+    if (opts.paginate) args.push('--paginate');
+    args.push(`repos/${shared.validateGhSlug(slug)}${shared.validateGhEndpoint(endpoint)}`);
     const token = ghToken.resolveTokenForSlug(slug);
     const env = token ? { ...process.env, GH_TOKEN: token } : undefined;
-    const result = await _runExec(cmd, { timeout: opts.timeout || 30000, encoding: 'utf-8', maxBuffer: GH_MAX_BUFFER, env });
+    const result = await _runShellSafeGh(args, { timeout: opts.timeout || 30000, maxBuffer: GH_MAX_BUFFER, env });
     const parsed = JSON.parse(result);
     _ghThrottle.recordSuccess();
     return parsed;
@@ -340,12 +367,18 @@ async function fetchGhBuildErrorLog(slug, failedRuns) {
         }
       } catch { /* fall through to job log */ }
 
-      // Always fetch job log — annotations alone often lack test failure details
+      // Always fetch job log — annotations alone often lack test failure details.
+      // P-f2-gh-shell (F2): argv form via shellSafeGh. validateJobId rejects
+      // non-integer run.id values before they reach child_process. Stderr is
+      // captured via shellSafeGh's execFile path (stderr surfaces on the thrown
+      // Error in the catch block) instead of a `2>&1` shell redirect, which is
+      // moot once shell:false is in effect.
       try {
-        const cmd = `gh api "repos/${slug}/actions/jobs/${run.id}/logs" 2>&1`;
+        const jobId = shared.validateJobId(run.id);
+        const args = ['api', `repos/${shared.validateGhSlug(slug)}/actions/jobs/${jobId}/logs`];
         const token = ghToken.resolveTokenForSlug(slug);
         const env = token ? { ...process.env, GH_TOKEN: token } : undefined;
-        const result = await _runExec(cmd, { timeout: 15000, encoding: 'utf-8', maxBuffer: GH_MAX_BUFFER, env });
+        const result = await _runShellSafeGh(args, { timeout: 15000, maxBuffer: GH_MAX_BUFFER, env });
         if (result && !result.includes('Not Found')) {
           logParts.push(`--- ${run.name || 'Check'} (log) ---\n${result}`);
         }
@@ -1235,26 +1268,45 @@ async function dismissPriorViewerChangesRequestedReviews(pr, project) {
     const os = require('os');
     let dismissed = 0;
     let errors = 0;
-    for (const reviewId of targets) {
-      tmpFile = path.join(os.tmpdir(), `gh-review-dismiss-${process.pid}-${Date.now()}-${reviewId}.json`);
-      const body = JSON.stringify({
-        message: 'Superseded by Minions re-review (verdict flipped to APPROVE).',
-        event: 'DISMISS',
-      });
-      try {
-        fs.writeFileSync(tmpFile, body);
-        const cmd = `gh api -X PUT --input "${tmpFile}" "repos/${slug}/pulls/${prNum}/reviews/${reviewId}/dismissals"`;
-        const token = ghToken.resolveTokenForSlug(slug);
-        const env = token ? { ...process.env, GH_TOKEN: token } : undefined;
-        await _runExec(cmd, { timeout: 10000, encoding: 'utf-8', maxBuffer: GH_MAX_BUFFER, env });
-        dismissed += 1;
-        log('info', `PR ${pr.id}: dismissed prior CHANGES_REQUESTED review ${reviewId} by ${viewerLogin}`);
-      } catch (e) {
-        errors += 1;
-        log('warn', `PR ${pr.id}: dismiss review ${reviewId} failed: ${e?.message || e}`);
-      } finally {
-        try { fs.unlinkSync(tmpFile); } catch {}
-        tmpFile = null;
+    // P-f6-tmp-toctou: per-call mkdtempSync dir (random 6-char suffix) closes
+    // the predictable-prefix window on <os.tmpdir>/gh-review-dismiss-* that
+    // an attacker could otherwise plant as a symlink.
+    // P-f2-gh-shell: argv form via shellSafeGh — validates slug, prNum, and
+    // reviewId so a poisoned PR record can't smuggle shell metacharacters.
+    let scopedDir = null;
+    try {
+      scopedDir = fs.mkdtempSync(path.join(os.tmpdir(), 'gh-review-dismiss-'));
+      if (process.platform !== 'win32') {
+        try { fs.chmodSync(scopedDir, 0o700); } catch { /* best-effort */ }
+      }
+      for (const reviewId of targets) {
+        tmpFile = path.join(scopedDir, `dismiss-${reviewId}.json`);
+        const body = JSON.stringify({
+          message: 'Superseded by Minions re-review (verdict flipped to APPROVE).',
+          event: 'DISMISS',
+        });
+        try {
+          fs.writeFileSync(tmpFile, body);
+          const args = [
+            'api', '-X', 'PUT', '--input', tmpFile,
+            `repos/${shared.validateGhSlug(slug)}/pulls/${shared.validatePrNum(prNum)}/reviews/${shared.validateReviewId(reviewId)}/dismissals`,
+          ];
+          const token = ghToken.resolveTokenForSlug(slug);
+          const env = token ? { ...process.env, GH_TOKEN: token } : undefined;
+          await _runShellSafeGh(args, { timeout: 10000, maxBuffer: GH_MAX_BUFFER, env });
+          dismissed += 1;
+          log('info', `PR ${pr.id}: dismissed prior CHANGES_REQUESTED review ${reviewId} by ${viewerLogin}`);
+        } catch (e) {
+          errors += 1;
+          log('warn', `PR ${pr.id}: dismiss review ${reviewId} failed: ${e?.message || e}`);
+        } finally {
+          try { fs.unlinkSync(tmpFile); } catch {}
+          tmpFile = null;
+        }
+      }
+    } finally {
+      if (scopedDir) {
+        try { fs.rmSync(scopedDir, { recursive: true, force: true }); } catch {}
       }
     }
     return { attempted: true, dismissed, errors };
@@ -1515,5 +1567,6 @@ module.exports = {
   _setCachedViewerLogin, // exported for testing (W-mp3bp0ha000997ab-b backfill)
   _backfillViewerDidAuthor, // exported for testing (W-mp3bp0ha000997ab-b backfill)
   _setExecAsyncForTest, // W-mp5trwh60008386d: test seam to mock `gh api` shell-outs
+  _setShellSafeGhForTest, // P-f2-gh-shell (F2): test seam to mock argv-form gh api calls
   GH_NOT_FOUND, // W-mp5trwh60008386d: exported so tests can assert sentinel propagation
 };

package/engine/issues.js

@@ -327,9 +327,19 @@ function createGitHubIssue({
   const safeTitle = _redactIssueContent(title, { repo, projects: redactionProjects });
   const safeDescription = _redactIssueContent(description || '', { repo, projects: redactionProjects });
   const issueBody = `${safeDescription}\n\n---\n_Filed via Minions dashboard_`;
-  const dir = tmpDir || path.join(__dirname, 'tmp');
-  fs.mkdirSync(dir, { recursive: true });
-  const bodyFile = path.join(dir, `bug-body-${process.pid}-${Date.now()}-${Math.random().toString(36).slice(2)}.md`);
+  // P-f6-tmp-toctou: per-call mkdtempSync dir (under engine/tmp/ for
+  // collocation with other engine tmp state). Random suffix closes the
+  // predictable-prefix window on engine/tmp/bug-body-* that an attacker could
+  // otherwise plant as a symlink.
+  let scopedDir = null;
+  let bodyFile;
+  if (tmpDir) {
+    fs.mkdirSync(tmpDir, { recursive: true });
+    bodyFile = path.join(tmpDir, `bug-body-${process.pid}-${Date.now()}-${Math.random().toString(36).slice(2)}.md`);
+  } else {
+    scopedDir = shared.createDispatchTmpDir(`issues-${process.pid}-${Date.now()}`);
+    bodyFile = path.join(scopedDir, 'bug-body.md');
+  }
   fs.writeFileSync(bodyFile, issueBody);
 
   let resolved;
@@ -377,6 +387,7 @@ function createGitHubIssue({
     throw new GitHubIssueError(`GitHub issue creation failed: ${conciseGhMessage(e)}`);
   } finally {
     try { fs.unlinkSync(bodyFile); } catch {}
+    if (scopedDir) shared.removeDispatchTmpDir(scopedDir);
   }
 }
 

package/engine/lifecycle.js

@@ -272,30 +272,66 @@ function checkPlanCompletion(meta, config) {
         continue;
       }
 
-      // Build per-project setup block
+      // Build per-project setup block.
+      // P-f3-verify-prompt — validate every branch ref before splicing into
+      // the bash setup commands the verify agent will execute. Without this,
+      // a crafted `plan.feature_branch` (e.g. `main; rm -rf ~`) or PR
+      // `branch` field reaches the Bash tool via template literal
+      // interpolation. github.js validates pr.branch on API persistence
+      // (engine/github.js:612-622), but feature_branch has no upstream
+      // validator and mainBranch can fall through unvalidated from project
+      // config when `git rev-parse` can't verify it (shared.js:1328). Defense
+      // in depth lives here, at the actual interpolation site.
       let checkoutBlock;
       let wtPath;
       if (isSharedBranch) {
+        let safeFeatureBranch;
+        try {
+          safeFeatureBranch = shared.validateGitRef(plan.feature_branch);
+        } catch (refErr) {
+          log('error', `Plan ${planFile}: verify dispatch rejected for ${projName} — invalid feature_branch ref: ${refErr.message}. Skipping verify WI creation.`);
+          continue;
+        }
         wtPath = `${p.localPath}/../worktrees/verify-${projName}-${planSlug}`;
-        const featureBranch = plan.feature_branch;
         checkoutBlock = [
           `# ${projName} — shared-branch: use existing feature branch directly`,
           `cd "${p.localPath.replace(/\\/g, '/')}"`,
-          `git fetch origin "${featureBranch}"`,
-          `git worktree add "${wtPath}" "origin/${featureBranch}" 2>/dev/null || (cd "${wtPath}" && git checkout "${featureBranch}" && git pull origin "${featureBranch}")`,
+          `git fetch origin "${safeFeatureBranch}"`,
+          `git worktree add "${wtPath}" "origin/${safeFeatureBranch}" 2>/dev/null || (cd "${wtPath}" && git checkout "${safeFeatureBranch}" && git pull origin "${safeFeatureBranch}")`,
         ].join('\n');
       } else {
+        let safeMainBranch;
+        try {
+          safeMainBranch = shared.validateGitRef(mainBranch);
+        } catch (refErr) {
+          log('error', `Plan ${planFile}: verify dispatch rejected for ${projName} — invalid mainBranch ref: ${refErr.message}. Skipping verify WI creation.`);
+          continue;
+        }
+        const safeBranches = [];
+        let badPrBranch = null;
+        for (const pr of prs) {
+          if (!pr.branch) continue;
+          try {
+            safeBranches.push({ id: pr.id || pr.branch, branch: shared.validateGitRef(pr.branch) });
+          } catch (refErr) {
+            badPrBranch = { id: pr.id || '(unknown)', raw: pr.branch, err: refErr };
+            break;
+          }
+        }
+        if (badPrBranch) {
+          log('error', `Plan ${planFile}: verify dispatch rejected for ${projName} — invalid pr.branch[${badPrBranch.id}] ref: ${badPrBranch.err.message}. Skipping verify WI creation.`);
+          continue;
+        }
         wtPath = `${p.localPath}/../worktrees/verify-${projName}-${planSlug}-${shared.uid()}`;
-        const branches = prs.map(pr => pr.branch).filter(Boolean);
         checkoutBlock = [
-          `# ${projName} — merge ${branches.length} PR branch(es) into one worktree`,
+          `# ${projName} — merge ${safeBranches.length} PR branch(es) into one worktree`,
           `cd "${p.localPath.replace(/\\/g, '/')}"`,
-          branches.length > 0
-            ? `git fetch origin ${branches.map(b => `"${b}"`).join(' ')} "${mainBranch}"`
-            : `git fetch origin "${mainBranch}"`,
-          `git worktree add "${wtPath}" "origin/${mainBranch}" 2>/dev/null || (cd "${wtPath}" && git checkout "${mainBranch}" && git pull origin "${mainBranch}")`,
+          safeBranches.length > 0
+            ? `git fetch origin ${safeBranches.map(({ branch }) => `"${branch}"`).join(' ')} "${safeMainBranch}"`
+            : `git fetch origin "${safeMainBranch}"`,
+          `git worktree add "${wtPath}" "origin/${safeMainBranch}" 2>/dev/null || (cd "${wtPath}" && git checkout "${safeMainBranch}" && git pull origin "${safeMainBranch}")`,
           `cd "${wtPath}"`,
-          ...branches.map(b => `git merge "origin/${b}" --no-edit  # ${prs.find(pr => pr.branch === b)?.id || b}`),
+          ...safeBranches.map(({ id, branch }) => `git merge "origin/${branch}" --no-edit  # ${id}`),
         ].join('\n');
       }
 

package/engine/llm.js

@@ -319,10 +319,13 @@ function _spawnProcess(promptText, sysPromptText, callOpts) {
   } = callOpts;
 
   const id = uid();
-  const tmpDir = path.join(ENGINE_DIR, 'tmp');
-  if (!fs.existsSync(tmpDir)) fs.mkdirSync(tmpDir, { recursive: true });
+  // P-f6-tmp-toctou: each direct/indirect LLM call gets its own unguessable
+  // tmp dir (mkdtempSync + chmod 0o700 on POSIX). The whole dir is rm'd by
+  // cleanupFiles consumers via shared.removeDispatchTmpDir.
+  const llmTmpDir = shared.createDispatchTmpDir(`llm-${label || 'call'}-${id}`);
 
   const cleanupFiles = [];
+  const cleanupDirs = [llmTmpDir];
   const caps = (runtime && runtime.capabilities) || {};
   const adapterOpts = {
     model, maxTurns, allowedTools, effort, sessionId,
@@ -346,7 +349,7 @@ function _spawnProcess(promptText, sysPromptText, callOpts) {
     // via --system-prompt-file (Claude) AND we're not resuming (resumed sessions
     // already have the sys prompt baked in).
     if (!sessionId && sysPromptText && caps.systemPromptFile) {
-      sysTmpPath = path.join(tmpDir, `direct-sys-${id}.md`);
+      sysTmpPath = path.join(llmTmpDir, `direct-sys-${id}.md`);
       fs.writeFileSync(sysTmpPath, sysPromptText);
       cleanupFiles.push(sysTmpPath);
       adapterOpts.sysPromptFile = sysTmpPath;
@@ -369,12 +372,12 @@ function _spawnProcess(promptText, sysPromptText, callOpts) {
     } else {
       try { proc.stdin.write(finalPrompt); proc.stdin.end(); } catch { /* broken pipe */ }
     }
-    return { proc, cleanupFiles };
+    return { proc, cleanupFiles, cleanupDirs };
   }
 
   // Indirect: use spawn-agent.js (when direct=false or binary cache miss)
-  const promptPath = path.join(tmpDir, `${label}-prompt-${id}.md`);
-  const sysPath = path.join(tmpDir, `${label}-sys-${id}.md`);
+  const promptPath = path.join(llmTmpDir, `${label}-prompt-${id}.md`);
+  const sysPath = path.join(llmTmpDir, `${label}-sys-${id}.md`);
   // The wrapper merges sys prompt into the user prompt for runtimes without
   // --system-prompt-file (Copilot) — write the user prompt as `finalPrompt`
   // (system block already prepended by buildPrompt) for those, and just the
@@ -402,7 +405,7 @@ function _spawnProcess(promptText, sysPromptText, callOpts) {
   const proc = runFile(process.execPath, args, {
     cwd: MINIONS_DIR, stdio: ['pipe', 'pipe', 'pipe'], env: cleanChildEnv(),
   });
-  return { proc, cleanupFiles };
+  return { proc, cleanupFiles, cleanupDirs };
 }
 
 // ─── Streaming Accumulator ───────────────────────────────────────────────────
@@ -621,7 +624,7 @@ function callLLM(promptText, sysPromptText, opts = {}) {
   let _abort = null;
   const promise = new Promise((resolve) => {
     const _startMs = Date.now();
-    const { proc, cleanupFiles } = _spawnProcess(promptText, sysPromptText, {
+    const { proc, cleanupFiles, cleanupDirs } = _spawnProcess(promptText, sysPromptText, {
       direct, label, runtime, model, maxTurns, allowedTools, effort, sessionId,
       maxBudget, bare, fallbackModel,
       ...runtimeFeatureOpts,
@@ -657,6 +660,7 @@ function callLLM(promptText, sysPromptText, opts = {}) {
       clearTimeout(timer);
       if (exitFallbackTimer) { clearTimeout(exitFallbackTimer); exitFallbackTimer = null; }
       for (const f of cleanupFiles) safeUnlink(f);
+      for (const d of (cleanupDirs || [])) shared.removeDispatchTmpDir(d);
       const parsed = acc.finalize();
       const durationMs = Date.now() - _startMs;
       const usage = parsed.usage ? { ...parsed.usage, durationMs } : { durationMs };
@@ -694,6 +698,7 @@ function callLLM(promptText, sysPromptText, opts = {}) {
       clearTimeout(timer);
       if (exitFallbackTimer) { clearTimeout(exitFallbackTimer); exitFallbackTimer = null; }
       for (const f of cleanupFiles) safeUnlink(f);
+      for (const d of (cleanupDirs || [])) shared.removeDispatchTmpDir(d);
       shared.log('error', `LLM spawn error (${label}): ${err.message}`);
       resolve({
         text: '', usage: null, sessionId: null, code: 1,
@@ -733,7 +738,7 @@ function callLLMStreaming(promptText, sysPromptText, opts = {}) {
   let _abort = null;
   const promise = new Promise((resolve) => {
     const _startMs = Date.now();
-    const { proc, cleanupFiles } = _spawnProcess(promptText, sysPromptText, {
+    const { proc, cleanupFiles, cleanupDirs } = _spawnProcess(promptText, sysPromptText, {
       direct, label, runtime, model, maxTurns, allowedTools, effort, sessionId,
       maxBudget, bare, fallbackModel,
       ...runtimeFeatureOpts,
@@ -772,6 +777,7 @@ function callLLMStreaming(promptText, sysPromptText, opts = {}) {
       clearTimeout(timer);
       if (exitFallbackTimer) { clearTimeout(exitFallbackTimer); exitFallbackTimer = null; }
       for (const f of cleanupFiles) safeUnlink(f);
+      for (const d of (cleanupDirs || [])) shared.removeDispatchTmpDir(d);
       const parsed = acc.finalize();
       const durationMs = Date.now() - _startMs;
       const usage = parsed.usage ? { ...parsed.usage, durationMs } : { durationMs };
@@ -806,6 +812,7 @@ function callLLMStreaming(promptText, sysPromptText, opts = {}) {
       clearTimeout(timer);
       if (exitFallbackTimer) { clearTimeout(exitFallbackTimer); exitFallbackTimer = null; }
       for (const f of cleanupFiles) safeUnlink(f);
+      for (const d of (cleanupDirs || [])) shared.removeDispatchTmpDir(d);
       shared.log('error', `LLM-stream spawn error (${label}): ${err.message}`);
       resolve({
         text: '', usage: null, sessionId: null, code: 1,

package/engine/meeting.js

@@ -694,6 +694,7 @@ function _killMeetingDispatches(meetingId) {
     const tmpDir = path.join(shared.MINIONS_DIR, 'engine', 'tmp');
     const entriesToStop = [];
     const filesToDelete = [];
+    const dispatchDirsToRemove = [];
     shared.mutateJsonFileLocked(DISPATCH_PATH, (dp) => {
       dp.pending = Array.isArray(dp.pending) ? dp.pending : [];
       dp.active = Array.isArray(dp.active) ? dp.active : [];
@@ -707,10 +708,17 @@ function _killMeetingDispatches(meetingId) {
             continue;
           }
           entriesToStop.push(d);
-          filesToDelete.push(path.join(tmpDir, `pid-${d.id}.pid`));
-          filesToDelete.push(path.join(tmpDir, `prompt-${d.id}.md`));
-          filesToDelete.push(path.join(tmpDir, `sysprompt-${d.id}.md`));
-          filesToDelete.push(path.join(tmpDir, `sysprompt-${d.id}.md.tmp`));
+          // P-f6-tmp-toctou: prefer per-dispatch dir cleanup. Fall back to
+          // legacy individual-file cleanup for entries that pre-date the
+          // per-dispatch-dir layout.
+          if (d.tmpDir && shared.validateDispatchTmpDir(d.tmpDir)) {
+            dispatchDirsToRemove.push(d.tmpDir);
+          } else {
+            filesToDelete.push(path.join(tmpDir, `pid-${d.id}.pid`));
+            filesToDelete.push(path.join(tmpDir, `prompt-${d.id}.md`));
+            filesToDelete.push(path.join(tmpDir, `sysprompt-${d.id}.md`));
+            filesToDelete.push(path.join(tmpDir, `sysprompt-${d.id}.md.tmp`));
+          }
         }
         dp[queue] = kept;
       }
@@ -725,7 +733,7 @@ function _killMeetingDispatches(meetingId) {
     const pidsToKill = [];
     for (const d of entriesToStop) {
       try {
-        const pidFile = path.join(tmpDir, `pid-${d.id}.pid`);
+        const pidFile = shared.findDispatchPidFile(d) || path.join(tmpDir, `pid-${d.id}.pid`);
         const pid = shared.validatePid(fs.readFileSync(pidFile, 'utf8').trim());
         pidsToKill.push(pid);
       } catch { /* pending entries and already-finished agents may not have PID files */ }
@@ -736,6 +744,9 @@ function _killMeetingDispatches(meetingId) {
     for (const fp of filesToDelete) {
       try { fs.unlinkSync(fp); } catch { /* sidecar may not exist */ }
     }
+    for (const dir of dispatchDirsToRemove) {
+      shared.removeDispatchTmpDir(dir);
+    }
 
     if (entriesToStop.length > 0) log('info', `Killed ${entriesToStop.length} meeting dispatch(es) for ${meetingId}`);
     return entriesToStop.length;