@yemi33/minions 0.1.2009 → 0.1.2011

package/dashboard/js/settings.js

@@ -249,8 +249,9 @@ async function openSettings() {
         '<div style="display:flex;flex-direction:column;gap:6px;margin-top:8px">' +
           settingsToggle('Claude bare mode', 'set-claudeBareMode', !!e.claudeBareMode, '--bare suppresses CLAUDE.md auto-discovery; pair with explicit ccSystemPrompt or context will be lost') +
         '</div>' +
-        '<div style="display:grid;grid-template-columns:1fr 1fr;gap:8px;margin-top:8px">' +
-          settingsField('Claude fallback model', 'set-claudeFallbackModel', e.claudeFallbackModel || '', '', 'Used by --fallback-model on rate-limit / overload (Claude only)') +
+        '<div style="display:grid;grid-template-columns:1fr 1fr 1fr;gap:8px;margin-top:8px">' +
+          settingsField('Claude fallback model', 'set-claudeFallbackModel', e.claudeFallbackModel || '', 'e.g. sonnet', 'Passed via Claude --fallback-model. The Claude CLI swaps to this only on rate-limit (429). Used together with engine.copilotFallbackModel for the engine-level MODEL_UNAVAILABLE (overloaded/503) retry — see CLAUDE.md.') +
+          settingsField('Copilot fallback model', 'set-copilotFallbackModel', e.copilotFallbackModel || '', 'e.g. gpt-5.4', 'Copilot has no --fallback-model flag. On a MODEL_UNAVAILABLE (overloaded/503) retry, the engine OVERRIDES --model with this value (Copilot only).') +
           settingsField('Max budget (USD)', 'set-maxBudgetUsd', e.maxBudgetUsd != null ? String(e.maxBudgetUsd) : '', '', 'Fleet ceiling for --max-budget-usd. 0 is a valid cap (read-only / dry-run). Empty = no cap. Claude only.') +
         '</div>' +
         '<div style="display:flex;flex-direction:column;gap:6px;margin-top:8px">' +
@@ -627,6 +628,7 @@ async function saveSettings() {
       ccEffort: document.getElementById('set-ccEffort').value || null,
       claudeBareMode: !!document.getElementById('set-claudeBareMode')?.checked,
       claudeFallbackModel: (document.getElementById('set-claudeFallbackModel')?.value ?? '').trim(),
+      copilotFallbackModel: (document.getElementById('set-copilotFallbackModel')?.value ?? '').trim(),
       copilotDisableBuiltinMcps: !!document.getElementById('set-copilotDisableBuiltinMcps')?.checked,
       copilotSuppressAgentsMd: !!document.getElementById('set-copilotSuppressAgentsMd')?.checked,
       copilotStreamMode: document.getElementById('set-copilotStreamMode')?.value || 'on',

package/dashboard.js

@@ -8308,6 +8308,17 @@ What would you like to discuss or change? When you're happy, say "approve" and I
           if (_isClear(e.claudeFallbackModel)) _deleteEngineConfig('claudeFallbackModel');
           else _setEngineConfig('claudeFallbackModel', String(e.claudeFallbackModel));
         }
+        // W-mpg6isvy000xca4d — Copilot fallback model. Mirrors the
+        // claudeFallbackModel handler above. Empty / null clears; any string
+        // value is stored verbatim. The dispatch retry path (engine.js
+        // spawnAgent) reads engine.copilotFallbackModel when the previous
+        // failure was FAILURE_CLASS.MODEL_UNAVAILABLE and the runtime has
+        // capabilities.fallbackModel === false (Copilot has no --fallback-model
+        // flag, so we override --model directly).
+        if (e.copilotFallbackModel !== undefined) {
+          if (_isClear(e.copilotFallbackModel)) _deleteEngineConfig('copilotFallbackModel');
+          else _setEngineConfig('copilotFallbackModel', String(e.copilotFallbackModel));
+        }
         if (e.copilotStreamMode !== undefined) {
           const valid = ['on', 'off'];
           if (_isClear(e.copilotStreamMode)) _deleteEngineConfig('copilotStreamMode');

package/engine/dispatch.js

@@ -654,6 +654,12 @@ function completeDispatch(id, result = DISPATCH_RESULT.SUCCESS, reason = '', res
                   wi.status = WI_STATUS.PENDING;
                   wi._lastRetryReason = reason || '';
                   wi._lastRetryAt = ts();
+                  // W-mpg6isvy000xca4d — surface the previous failure class so the
+                  // next spawn can swap in a runtime-appropriate fallback model
+                  // when the previous attempt was bounced for MODEL_UNAVAILABLE
+                  // (overloaded_error / 503). Empty string clears any stale
+                  // value from an earlier failure cycle.
+                  wi._lastFailureClass = failureClass || '';
                   delete wi.failReason;
                   delete wi.failedAt;
                   delete wi.dispatched_at;
@@ -683,6 +689,7 @@ function completeDispatch(id, result = DISPATCH_RESULT.SUCCESS, reason = '', res
             [FAILURE_CLASS.INVALID_MANAGED_SPAWN]: 'managed-spawn.json failed validation (bad schema, workdir, or allowlist — see inbox alert)',
             [FAILURE_CLASS.MANAGED_SPAWN_HEALTHCHECK_FAILED]: 'managed-spawn spec(s) failed healthcheck within timeout (failing PIDs killed; surviving siblings stay alive)',
             [FAILURE_CLASS.INJECTION_FLAGGED]: 'agent flagged a prompt-injection attempt in spliced untrusted content — human review of the listed sources required before re-dispatch',
+            [FAILURE_CLASS.MODEL_UNAVAILABLE]: 'requested model returned overloaded/503 — fallback model swapped in for retry',
             [FAILURE_CLASS.UNKNOWN]: 'unknown error',
           };
           const classLabel = failureClass ? (CLASS_LABELS[failureClass] || failureClass) : '';

package/engine/lifecycle.js

@@ -1963,8 +1963,19 @@ function recordPrNoOpFixAttempt(target, cause, source, dispatchItem, branchChang
   ).slice(0, 500);
   target._lastDispatchByCause = target._lastDispatchByCause
     && typeof target._lastDispatchByCause === 'object' ? target._lastDispatchByCause : {};
+  // W-mpg6wptq0011cc68: distinguish indeterminate noops (detection could not
+  // prove the branch advanced — fetch failed, worktree gone, missing baseline)
+  // from confirmed noops (remote head was verified to equal beforeHead). The
+  // same-head guard in engine.js MUST NOT permanently suppress on indeterminate
+  // records, otherwise a single failed detection locks out future fix
+  // dispatches on that head+comment until the SHA moves — and the SHA cannot
+  // move unless the suppressed fix runs. The `_noOpFixes[cause].count` +
+  // `prNoOpFixPauseAttempts` (default 3) safety valve still applies; only the
+  // same-head guard is relaxed.
+  const indeterminate = !!branchChange && branchChange.changed === null;
   target._lastDispatchByCause[cause] = {
     outcome: 'noop',
+    indeterminate,
     headSha,
     reason: reasonText,
     dispatchedAt: now,

package/engine/playbook.js

@@ -1032,7 +1032,17 @@ function selectPlaybook(workType, item) {
 
 function buildPrDispatch(agentId, config, project, pr, type, extraVars, taskLabel, meta) {
   const dispatchId = `${agentId || 'unassigned'}-${type}-${shared.uid()}`;
-  const vars = { ...buildBaseVars(agentId, config, project), ...extraVars, task_id: dispatchId };
+  // W-mpg6wptq0011cc68: PR-context dispatches (review/fix/build-and-test) all
+  // operate on the PR's branch, so default `branch_name` to `pr_branch` here
+  // so shared-rules.md's `{{branch_name}}` reference resolves. Without this,
+  // every PR fix/review render emits a recurring `unresolved template
+  // variables: branch_name` warn. Callers may still override explicitly.
+  const vars = {
+    ...buildBaseVars(agentId, config, project),
+    branch_name: extraVars?.pr_branch || '',
+    ...extraVars,
+    task_id: dispatchId,
+  };
   const playbookName = type === 'test' ? 'build-and-test' : (type === 'review' ? 'review' : 'fix');
   const prompt = renderPlaybook(playbookName, vars);
   if (!prompt) return null;

package/engine/runtimes/claude.js

@@ -412,6 +412,7 @@ function usesSystemPromptFile({ isResume } = {}) {
 function _runtimeFailureClass(code) {
   if (code === 'auth-failure' || code === 'budget-exceeded') return FAILURE_CLASS.PERMISSION_BLOCKED;
   if (code === 'context-limit') return FAILURE_CLASS.OUT_OF_CONTEXT;
+  if (code === 'model-unavailable') return FAILURE_CLASS.MODEL_UNAVAILABLE;
   if (code === 'crash') return FAILURE_CLASS.SPAWN_ERROR;
   return null;
 }
@@ -552,6 +553,16 @@ function parseError(rawOutput) {
   if (/budget.*exceed|max.budget.usd.*reach|cost.*limit.*exceed/i.test(lower)) {
     return { message: 'Claude budget cap exceeded — check your Claude account spending limit.', code: 'budget-exceeded', retriable: false };
   }
+  // W-mpg6isvy000xca4d — Anthropic overload / 503 / service-unavailable. Claude's
+  // own `--fallback-model` only fires on 429 (rate-limit); these failure modes
+  // hang the agent until the 5h timeout. Classify as MODEL_UNAVAILABLE so the
+  // dispatch loop retries with the runtime-appropriate fallback model. Match
+  // before the crash branch — Anthropic's overloaded responses can include
+  // "internal error" / "panic"-style phrasing that would otherwise be misread
+  // as a CLI crash.
+  if (/overloaded_error|service[_ ]unavailable|model.*(?:unavailable|overloaded)|\b503\b|temporarily unavailable/i.test(text)) {
+    return { message: 'Claude model temporarily unavailable (overloaded / 503)', code: 'model-unavailable', retriable: true };
+  }
   if (/internal error|panic|segmentation fault|claude.*crashed|fatal: claude/i.test(lower)) {
     return { message: 'Claude CLI crashed unexpectedly. Try again.', code: 'crash', retriable: true };
   }

package/engine/runtimes/copilot.js

@@ -602,6 +602,7 @@ function usesSystemPromptFile() {
 function _runtimeFailureClass(code) {
   if (code === 'auth-failure' || code === 'budget-exceeded') return FAILURE_CLASS.PERMISSION_BLOCKED;
   if (code === 'unknown-model') return FAILURE_CLASS.CONFIG_ERROR;
+  if (code === 'model-unavailable') return FAILURE_CLASS.MODEL_UNAVAILABLE;
   if (code === 'rate-limit') return FAILURE_CLASS.NETWORK_ERROR;
   if (code === 'crash') return FAILURE_CLASS.SPAWN_ERROR;
   return null;
@@ -844,6 +845,14 @@ function parseError(rawOutput) {
   if (hasExplicitAuthFailure || hasAuthStatusCode) {
     return { message: text, code: 'auth-failure', retriable: false };
   }
+  // W-mpg6isvy000xca4d — Copilot has no --fallback-model flag; classify
+  // overloaded / 503 / service_unavailable as MODEL_UNAVAILABLE so the engine
+  // retry can OVERRIDE --model with engine.copilotFallbackModel. Match before
+  // rate-limit so 503/overload never gets misread as a 429 (which would
+  // bucket into NETWORK_ERROR and re-spawn against the same broken model).
+  if (/overloaded_error|service[_ ]unavailable|model.*(?:unavailable|overloaded)|\b503\b|temporarily unavailable/i.test(text)) {
+    return { message: text, code: 'model-unavailable', retriable: true };
+  }
   if (/rate limit|too many requests|\b429\b/i.test(text)) {
     return { message: text, code: 'rate-limit', retriable: true };
   }

package/engine/shared.js

@@ -1764,7 +1764,8 @@ const ENGINE_DEFAULTS = {
   ccCli: undefined,              // CC/doc-chat CLI override; undefined = inherit defaultCli (independent of agent path)
   ccModel: undefined,            // CC/doc-chat model override; undefined = inherit defaultModel
   claudeBareMode: false,         // Claude --bare: suppress CLAUDE.md auto-discovery (per-agent override: agents.<id>.bareMode)
-  claudeFallbackModel: undefined,// Claude --fallback-model on rate-limit / overload (Claude-only)
+  claudeFallbackModel: undefined,// Claude --fallback-model — Claude CLI honors this on rate-limit (429) only; engine retry on FAILURE_CLASS.MODEL_UNAVAILABLE keeps the flag passed so the CLI can swap internally
+  copilotFallbackModel: undefined,// W-mpg6isvy000xca4d: Copilot has no --fallback-model flag; engine retry on FAILURE_CLASS.MODEL_UNAVAILABLE OVERRIDES --model directly with this value (separate knob from claudeFallbackModel because model namespaces differ across runtimes)
   copilotDisableBuiltinMcps: true,   // Copilot --disable-builtin-mcps: keep github-mcp-server out so it can't bypass pull-requests.json tracking
   copilotSuppressAgentsMd: true,     // Copilot --no-custom-instructions: stop AGENTS.md auto-load from fighting Minions playbook prompts
   copilotStreamMode: 'on',           // Copilot --stream <on|off>: 'on' streams assistant.message_delta events live; 'off' batches them
@@ -2606,6 +2607,7 @@ const FAILURE_CLASS = {
   INVALID_MANAGED_SPAWN: 'invalid-managed-spawn', // P-7a3b1c92: agents/<id>/managed-spawn.json failed validator (bad schema, broken workdir, executable/env not on allowlist, healthcheck shape wrong). Engine refuses to spawn any spec — agent must fix file; never retryable as-is.
   MANAGED_SPAWN_HEALTHCHECK_FAILED: 'managed-spawn-healthcheck-failed', // P-7a3b1c92: at least one managed-spawn spec was spawned but failed its healthcheck within timeout_s. Engine killed the failing PIDs; siblings stay alive. Dispatch ERROR with the failing spec name + log tail surfaced in the inbox alert.
   INJECTION_FLAGGED: 'injection-flagged', // F5 (W-mpeklod3000we69c): the agent set `securityFlags.injectionAttempt:true` in its completion report after spotting a prompt-injection attempt inside an <UNTRUSTED-INPUT> fence. Engine writes a security inbox note + stamps `_securityFlag` on the WI and treats the dispatch as non-retryable so a human can review the source before the agent re-runs.
+  MODEL_UNAVAILABLE: 'model-unavailable', // W-mpg6isvy000xca4d: requested model returned overloaded_error / 503 / service_unavailable. Retriable — engine swaps in the runtime-appropriate fallback model on next spawn (Claude leans on --fallback-model already plumbed; Copilot overrides --model with engine.copilotFallbackModel).
   UNKNOWN: 'unknown',                     // Unclassified failure
 };
 const ESCALATION_POLICY = {

package/engine.js

@@ -148,6 +148,12 @@ const { renderPlaybook, validatePlaybookVars, PLAYBOOK_REQUIRED_VARS,
   buildBaseVars, buildPrDispatch, resolveTaskContext,
   getRepoHost, getRepoHostLabel, getRepoHostToolRule } = require('./engine/playbook');
 
+// Per-slug GitHub PAT resolution — mirrors getAdoToken/MINIONS_ADO_TOKEN.
+// Used at agent spawn time to inject GH_TOKEN for GitHub projects so child
+// `gh`/`git push` calls authenticate as the right account without falling
+// through to an interactive `gh auth login` device-code flow.
+const ghToken = require('./engine/gh-token');
+
 // sanitizeBranch imported from shared.js
 
 // ─── Lifecycle (extracted to engine/lifecycle.js) ────────────────────────────
@@ -1681,6 +1687,27 @@ async function spawnAgent(dispatchItem, config) {
   const resolvedMaxBudget = shared.resolveAgentMaxBudget(agentConfig, engineConfig);
   const resolvedBare = shared.resolveAgentBareMode(agentConfig, engineConfig);
 
+  // W-mpg6isvy000xca4d — On retry after FAILURE_CLASS.MODEL_UNAVAILABLE, swap
+  // to the runtime-appropriate fallback model. Two paths gated on
+  // `runtime.capabilities.fallbackModel` (no `runtime.name === ...` branches):
+  //   - Capability TRUE (Claude): the CLI's own --fallback-model handles
+  //     the swap on 429. We keep `engineConfig.claudeFallbackModel` plumbed
+  //     unconditionally via the fallbackModel opt below; no model override
+  //     needed at the engine layer.
+  //   - Capability FALSE (Copilot): no --fallback-model flag exists, so we
+  //     OVERRIDE the --model arg directly with engine.copilotFallbackModel
+  //     for this retry attempt only. The work item's _lastFailureClass is
+  //     written by dispatch.js's retry block; the next normal dispatch loop
+  //     pick-up re-reads it through meta.item.
+  let effectiveModel = resolvedModel;
+  const prevFailureClass = meta?.item?._lastFailureClass || null;
+  if (prevFailureClass === FAILURE_CLASS.MODEL_UNAVAILABLE
+      && runtime.capabilities?.fallbackModel === false
+      && engineConfig.copilotFallbackModel) {
+    effectiveModel = engineConfig.copilotFallbackModel;
+    log('info', `MODEL_UNAVAILABLE retry: ${runtimeName} ${id} — overriding --model to ${effectiveModel}`);
+  }
+
   const requestedEffort = engineConfig.agentEffort || null;
 
   let cachedSessionId = null;
@@ -1698,7 +1725,7 @@ async function spawnAgent(dispatchItem, config) {
   }
 
   const args = _buildAgentSpawnFlags(runtime, {
-    model: resolvedModel,
+    model: effectiveModel,
     maxTurns: _maxTurnsForType(type, engineConfig),
     allowedTools: claudeConfig.allowedTools,
     effort: requestedEffort,
@@ -1735,6 +1762,17 @@ async function spawnAgent(dispatchItem, config) {
     childEnv.MINIONS_KEEP_PROCESSES_SKIP_WORKDIR_CHECK = '1';
   }
 
+  // W-mpg54mi2000n7b7e — suppress Git's interactive credential prompts and
+  // Git Credential Manager's GUI dialog for every agent spawn. Without these,
+  // a child `git push` against a private repo whose cached PAT expired pops a
+  // Windows credential window the agent can never dismiss, hanging the
+  // dispatch until the 5h agentTimeout wall-clock kill. Mirrors
+  // shared.gitEnv() which already sets these for the engine's own git ops.
+  // These vars are cheap and only take effect when git is invoked, so we set
+  // them unconditionally regardless of repo host.
+  childEnv.GIT_TERMINAL_PROMPT = '0';
+  childEnv.GCM_INTERACTIVE = 'never';
+
   if (getRepoHost(project) === 'ado') {
     // Inject cached ADO token so ADO agents skip re-authentication (#998).
     // getAdoToken() returns cached token (30-min TTL) or null — never blocks on browser auth.
@@ -1742,6 +1780,19 @@ async function spawnAgent(dispatchItem, config) {
       const adoToken = await getAdoToken();
       if (adoToken) childEnv.MINIONS_ADO_TOKEN = adoToken;
     } catch { /* non-fatal — agent can still authenticate on its own */ }
+  } else if (getRepoHost(project) === 'github') {
+    // W-mpg54mi2000n7b7e — inject a per-slug GitHub PAT so child `gh`/`git`
+    // calls authenticate as the right account without any `gh auth login`
+    // interactive flow. Resolution honors config.engine.ghAccounts via
+    // engine/gh-token.js (exact owner → owner-glob → fleet default → null).
+    // Mirrors the MINIONS_ADO_TOKEN injection above for ADO projects.
+    try {
+      const slug = shared.getProjectOrg(project) && project?.repoName
+        ? `${shared.getProjectOrg(project)}/${project.repoName}`
+        : null;
+      const ghTok = slug ? ghToken.resolveTokenForSlug(slug) : null;
+      if (ghTok) childEnv.GH_TOKEN = ghTok;
+    } catch { /* non-fatal — agent can still authenticate on its own */ }
   }
 
   // Spawn via wrapper script — node directly (no bash intermediary)
@@ -2017,7 +2068,7 @@ async function spawnAgent(dispatchItem, config) {
       }
 
       const resumeArgs = _buildAgentSpawnFlags(runtime, {
-        model: resolvedModel,
+        model: effectiveModel,
         maxTurns: engineConfig?.maxTurns || ENGINE_DEFAULTS.maxTurns,
         allowedTools: claudeConfig?.allowedTools,
         sessionId: steerSessionId,
@@ -2048,12 +2099,28 @@ async function spawnAgent(dispatchItem, config) {
       if (completionNonce) childEnv.MINIONS_COMPLETION_NONCE = completionNonce;
       childEnv.MINIONS_LIVE_OUTPUT_PATH = liveOutputPath;
       childEnv.MINIONS_REPO_HOST = getRepoHost(project);
+      // W-mpg54mi2000n7b7e — same Git non-interactive guards as the initial
+      // spawn path. Steering-resumed agents are equally susceptible to GCM
+      // credential dialogs on `git push` against stale PATs.
+      childEnv.GIT_TERMINAL_PROMPT = '0';
+      childEnv.GCM_INTERACTIVE = 'never';
       if (getRepoHost(project) === 'ado') {
         // Inject cached ADO token for steering session too (#998)
         try {
           const adoToken = await getAdoToken();
           if (adoToken) childEnv.MINIONS_ADO_TOKEN = adoToken;
         } catch { /* non-fatal */ }
+      } else if (getRepoHost(project) === 'github') {
+        // W-mpg54mi2000n7b7e — same per-slug GH_TOKEN injection as the
+        // initial spawn path so steering-resumed GitHub agents don't fall
+        // through to an interactive `gh auth login` device-code flow.
+        try {
+          const slug = shared.getProjectOrg(project) && project?.repoName
+            ? `${shared.getProjectOrg(project)}/${project.repoName}`
+            : null;
+          const ghTok = slug ? ghToken.resolveTokenForSlug(slug) : null;
+          if (ghTok) childEnv.GH_TOKEN = ghTok;
+        } catch { /* non-fatal */ }
       }
       // W-mp6k7ywi000fa33c — propagate keep_processes workdir-check override across steering resume.
       if (dispatchItem.meta?.item?.meta?.keep_processes_skip_workdir_check
@@ -4185,6 +4252,13 @@ async function discoverFromPrs(config, project) {
       // queued). Skip only the human-feedback dispatch path; leave
       // `fixDispatched=false` so downstream causes are still evaluated.
       const skipHumanFeedback = !!(lastHumanDispatch?.outcome === 'noop'
+        // W-mpg6wptq0011cc68: indeterminate noops (detection could not verify
+        // branch advance — fetch failed, worktree gone) must NOT permanently
+        // suppress re-dispatch. lifecycle.js:2043-2048 explicitly comments
+        // that a future tick with working detection must be free to re-fire.
+        // The `_noOpFixes` count + `prNoOpFixPauseAttempts` (default 3) safety
+        // valve still triggers pause if detection keeps failing.
+        && !lastHumanDispatch.indeterminate
         && lastHumanDispatch.headSha
         && currentHeadSha
         && lastHumanDispatch.headSha === currentHeadSha
@@ -4369,6 +4443,12 @@ async function discoverFromPrs(config, project) {
       // below — symmetric to the human-feedback bug. Skip only the build-fix
       // dispatch path; downstream merge-conflict resolution must still run.
       const skipBuildFix = !!(lastBuildDispatch?.outcome === 'noop'
+        // W-mpg6wptq0011cc68: symmetric protection — indeterminate noops here
+        // (detection couldn't verify branch advance) must NOT permanently
+        // suppress build-fix either. Same rationale as the human-feedback
+        // guard above; the per-cause `_noOpFixes` count + pause-after-N valve
+        // still applies.
+        && !lastBuildDispatch.indeterminate
         && lastBuildDispatch.headSha
         && currentHeadSha
         && lastBuildDispatch.headSha === currentHeadSha);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@yemi33/minions",
-  "version": "0.1.2009",
+  "version": "0.1.2011",
   "description": "Multi-agent AI dev team that runs from ~/.minions/ — five autonomous agents share a single engine, dashboard, and knowledge base",
   "bin": {
     "minions": "bin/minions.js"