@yemi33/minions 0.1.2044 → 0.1.2045

package/engine/queries.js

@@ -1772,8 +1772,17 @@ function _scheduleProjectGitStatusRefresh(localPath, key, configuredMainBranch)
   if (existing && existing.promise) return existing.promise;
   const entry = existing || { ts: 0, value: PROJECT_GIT_STATUS_PENDING, promise: null };
   const prevValue = entry.value;
+  // Capture probe-start time BEFORE running git, not after. Used as the
+  // baseline for `_projectGitRefsAdvancedSince` on the next call. If we
+  // captured probe-END time, a file written just before the probe started
+  // could end up with `mtimeMs >= entry.ts` on a fast filesystem (NTFS
+  // mtime granularity vs millisecond-precise Date.now()), busting the
+  // cache spuriously on the very next read. Probe-START is the safer
+  // anchor — any file with `mtimeMs > probeStartTs` legitimately changed
+  // at-or-after the probe, so re-probing is correct.
+  const probeStartTs = Date.now();
   entry.promise = _probeProjectGitStatus(localPath, configuredMainBranch).then(value => {
-    entry.ts = Date.now();
+    entry.ts = probeStartTs;
     entry.value = value;
     entry.promise = null;
     if (_onProjectGitStatusChanged && !_projectGitStatusEqual(prevValue, value)) {
@@ -1824,6 +1833,30 @@ function _resolveGitDir(localPath) {
   return null;
 }
 
+// For a per-worktree gitdir, resolve the COMMON gitdir shared across all
+// linked worktrees of the same repo. Git writes per-worktree state
+// (HEAD, logs/HEAD, index) into the worktree-specific gitdir, but state
+// that's logically per-repo (objects, refs/remotes/, FETCH_HEAD) into
+// the common gitdir. The common location is recorded in
+// `<per-worktree-gitdir>/commondir`, a file containing either an
+// absolute path or a path relative to the per-worktree gitdir
+// (typically `../..` — resolves from `<main>/.git/worktrees/<name>` →
+// `<main>/.git`). For the main worktree there is no commondir file and
+// `gitDir` already IS the common gitdir, so this function returns
+// `gitDir` unchanged. Callers should track FETCH_HEAD and
+// refs/remotes/origin/<comparator> against the COMMON gitdir; logs/HEAD
+// must stay on the per-worktree gitdir so per-worktree HEAD moves still
+// register.
+function _resolveCommonGitDir(gitDir) {
+  if (!gitDir) return null;
+  const commondirPath = path.join(gitDir, 'commondir');
+  let raw = '';
+  try { raw = fs.readFileSync(commondirPath, { encoding: 'utf8', flag: 'r' }).trim(); }
+  catch { return gitDir; }
+  if (!raw) return gitDir;
+  return path.isAbsolute(raw) ? raw : path.resolve(gitDir, raw);
+}
+
 // Return true when any of the per-project git ref files (logs/HEAD,
 // FETCH_HEAD, refs/remotes/origin/<comparator>) have mtimeMs > cachedTs.
 // Lets `getProjectGitStatus` bypass its 15s TTL after `git pull`, `git
@@ -1836,13 +1869,17 @@ function _resolveGitDir(localPath) {
 function _projectGitRefsAdvancedSince(localPath, cachedTs, configuredMainBranch) {
   const gitDir = _resolveGitDir(localPath);
   if (!gitDir) return false;
+  // logs/HEAD is per-worktree; FETCH_HEAD + refs/remotes/origin/* live in
+  // the COMMON gitdir for linked worktrees. For the main worktree both
+  // resolve to the same place, so this is a no-op there.
+  const commonGitDir = _resolveCommonGitDir(gitDir);
   const candidates = [
     path.join(gitDir, 'logs', 'HEAD'),
-    path.join(gitDir, 'FETCH_HEAD'),
+    path.join(commonGitDir, 'FETCH_HEAD'),
   ];
   const comparator = configuredMainBranch && String(configuredMainBranch).trim();
   if (comparator) {
-    candidates.push(path.join(gitDir, 'refs', 'remotes', 'origin', comparator));
+    candidates.push(path.join(commonGitDir, 'refs', 'remotes', 'origin', comparator));
   }
   for (const file of candidates) {
     try {
@@ -2052,8 +2089,16 @@ function getStatusFastStateMtimePaths(config) {
     files.push(shared.projectPrPath(p));
     if (p && p.localPath) {
       const gitDir = _resolveGitDir(p.localPath) || path.join(p.localPath, '.git');
+      // logs/HEAD is per-worktree (HEAD moves, commits, checkouts).
+      // FETCH_HEAD lives in the COMMON gitdir — `git fetch` from a linked
+      // worktree writes to `<main>/.git/FETCH_HEAD`, not to the
+      // per-worktree subdir. Tracking only the per-worktree path here
+      // would leave linked-worktree projects stuck after `git fetch`
+      // (the file at `<main>/.git/worktrees/<name>/FETCH_HEAD` never
+      // exists — verified empirically).
+      const commonGitDir = _resolveCommonGitDir(gitDir);
       files.push(path.join(gitDir, 'logs', 'HEAD'));
-      files.push(path.join(gitDir, 'FETCH_HEAD'));
+      files.push(path.join(commonGitDir, 'FETCH_HEAD'));
     }
   }
   return files;
@@ -2100,9 +2145,25 @@ function getStatusFastStateMtimePaths(config) {
  * Files intentionally NOT tracked here:
  *   - version, autoMode, installId — change only on human/CLI edits, which
  *     already pop the slow-state via reloadConfig + the 60 s TTL.
- *   - project git state — already invalidated via the
- *     `_setOnProjectGitStatusChanged` callback into `invalidateStatusCache`
- *     (W-mpgrk5cy fix); also tracked in fast-state via `.git/logs/HEAD`.
+ *
+ * Per-project `.git/logs/HEAD` + `.git/FETCH_HEAD` ARE tracked here in
+ * addition to the fast-state tracker. The project payload (`projects:`
+ * with ahead/behind counts) lives in the slow-state slice, and
+ * `getProjectGitStatus` is called only from `_buildStatusSlowState`.
+ * Without tracking the git refs here, a fresh `git pull` busts
+ * fast-state but leaves slow-state cached for up to 60 s —
+ * `getProjectGitStatus` is never called, so the background probe never
+ * runs, so the `_setOnProjectGitStatusChanged` callback never fires,
+ * so the cache stays stale. Tracking the refs in BOTH tiers means any
+ * HEAD-moving / fetching git operation busts slow-state on the next
+ * poll, the rebuild calls `getProjectGitStatus` which then schedules
+ * the probe, and the probe's invalidation callback finishes the
+ * round-trip within ~1 poll cycle. `logs/HEAD` is resolved via
+ * `_resolveGitDir` (per-worktree); `FETCH_HEAD` is resolved via
+ * `_resolveCommonGitDir` (shared across all linked worktrees of the
+ * same repo — `git fetch` from a linked worktree writes to the main
+ * gitdir, not the per-worktree subdir, so tracking the per-worktree
+ * path would silently miss every fetch).
  *
  * NOTE: Detecting a change here busts the dashboard's slow-state cache, but
  * the inner per-source caches (`queries._skillsCache` 30 s, dashboard's
@@ -2170,6 +2231,22 @@ function getStatusSlowStateMtimePaths(config) {
     }
   }
 
+  // Per-project git refs — see the "Per-project .git/logs/HEAD" note in
+  // the header. Same pair the fast-state tracker watches; `logs/HEAD` is
+  // per-worktree (resolved via `_resolveGitDir`) while `FETCH_HEAD` lives
+  // in the COMMON gitdir (resolved via `_resolveCommonGitDir`) — git
+  // fetches from a linked worktree write to `<main>/.git/FETCH_HEAD`,
+  // not into the per-worktree subdir. For the main worktree both
+  // resolvers return the same gitdir, so the behavior collapses to the
+  // expected `<localPath>/.git/{logs/HEAD,FETCH_HEAD}` pair.
+  for (const project of projects) {
+    if (!project || !project.localPath) continue;
+    const gitDir = _resolveGitDir(project.localPath) || path.join(project.localPath, '.git');
+    const commonGitDir = _resolveCommonGitDir(gitDir);
+    files.push(path.join(gitDir, 'logs', 'HEAD'));
+    files.push(path.join(commonGitDir, 'FETCH_HEAD'));
+  }
+
   return files;
 }
 

package/engine/shared.js

@@ -1779,6 +1779,7 @@ const ENGINE_DEFAULTS = {
   autoReReviewPrs: true, // auto-dispatch review agents after a PR fix is pushed
   autoFixReviewFeedback: true, // auto-dispatch fix agents for minions review changes-requested verdicts
   autoFixHumanComments: true, // auto-dispatch fix agents for actionable human PR comments
+  autoConsolidateMemory: false, // opt-in: periodically spawn engine/kb-sweep-runner.js from the tick loop (4h cadence). Inbox→notes consolidation already runs every tick via consolidateInbox; this flag only controls the KB sweep.
   prNoOpFixPauseAttempts: 2, // pause one PR automation cause after repeated no-op fixes for unchanged evidence
   completionReportRetentionDays: 90, // retain completion report sidecars beyond capped dispatch history
   completionReportMaxFiles: 5000, // hard cap for completion report sidecars during cleanup
@@ -1787,6 +1788,7 @@ const ENGINE_DEFAULTS = {
   evalLoop: true, // enable review→fix loop after implementation completes
   evalMaxCost: null, // USD ceiling per work item across all eval iterations; null = no limit (gather baseline data first)
   maxRetries: 3, // max dispatch retries before marking work item as failed
+  maxRetriesPerAgent: 2, // W-mpmwxn1j — per-agent retry cap. When the SAME agent fails the same WI this many times, the next retry MUST reassign to a different eligible agent (consults routing.md + agent availability). Falls back to the same agent only when no alternate is available. Counted separately from `maxRetries` (which caps total retries across all agents) and tracked on the WI as `_retriesByAgent: { agentId: count }`. Hard-pinned agents bypass reassignment (operator intent wins).
   maxPhantomRetries: 3, // max retries for "phantom completion" (runtime crashed before emitting type:"result"); tracked separately from _retryCount so phantom retries don't pollute the normal PR-attachment retry budget. See engine/lifecycle.markMissingPrAttachment + detectNonTerminalResultSummary.
   minRetryGapMs: 120000, // 2min — minimum gap between retry dispatches for the same work item; prevents tight retry loops when an idempotent agent (e.g. review bailing out on a duplicate) cannot produce the expected output (#1770)
   pipelineApiRetries: 2, // max attempts for pipeline API calls
@@ -4752,6 +4754,39 @@ function safeSlugComponent(text, maxLen = 80) {
   return `${base}-${hash}`.slice(0, maxLen);
 }
 
+// W-mpmwxn1j — Per-agent retry tracking. After the same agent has failed a WI
+// `ENGINE_DEFAULTS.maxRetriesPerAgent` times, the next dispatch must reassign
+// to a different eligible agent. The counter is stored on the WI itself
+// (`_retriesByAgent: { agentId: count }`) so engine restart preserves the
+// state. The counter is cleared on successful completion alongside
+// `_retryCount`. The caller passes a mutable WI object (inside a
+// `mutateWorkItems` / `mutateJsonFileLocked` callback) and the failed agent ID.
+// Anonymous failures (no resolvable agent) skip the bump — we'd corrupt the
+// shape with an `undefined` key. Returns the new per-agent count for logging.
+function bumpAgentRetryCount(wi, agentId) {
+  if (!wi || !agentId) return 0;
+  if (!wi._retriesByAgent || typeof wi._retriesByAgent !== 'object' || Array.isArray(wi._retriesByAgent)) {
+    wi._retriesByAgent = {};
+  }
+  const next = (Number(wi._retriesByAgent[agentId]) || 0) + 1;
+  wi._retriesByAgent[agentId] = next;
+  return next;
+}
+
+function getAgentRetryCount(wi, agentId) {
+  if (!wi || !agentId) return 0;
+  const map = wi._retriesByAgent;
+  if (!map || typeof map !== 'object' || Array.isArray(map)) return 0;
+  return Number(map[agentId]) || 0;
+}
+
+function resolveMaxRetriesPerAgent(config) {
+  const raw = config?.engine?.maxRetriesPerAgent;
+  const val = Number(raw);
+  if (Number.isFinite(val) && val > 0) return val;
+  return ENGINE_DEFAULTS.maxRetriesPerAgent;
+}
+
 const PR_AUTOMATION_CAUSE_LIMIT = 50;
 
 function getPrAutomationCauses(pr) {
@@ -4912,6 +4947,7 @@ module.exports = {
   tailTextBytes,
   appendTextTail,
   writeToInbox, parseNoteId,
+  bumpAgentRetryCount, getAgentRetryCount, resolveMaxRetriesPerAgent,
   exec,
   execAsync,
   execSilent,

package/engine/timeout.js

@@ -587,6 +587,10 @@ function checkTimeouts(config) {
             log('info', `Reconcile: work item ${item.id} agent died — auto-retry ${retries + 1}/${maxRetries}`);
             item.status = WI_STATUS.PENDING;
             item._retryCount = retries + 1;
+            // W-mpmwxn1j — bump per-agent retry count BEFORE deleting
+            // dispatched_to so the next dispatch can reassign away from the
+            // agent that died. Anonymous (no dispatched_to) failures don't bump.
+            if (item.dispatched_to) shared.bumpAgentRetryCount(item, item.dispatched_to);
             delete item.dispatched_at;
             delete item.dispatched_to;
             delete item._pendingReason;

package/engine.js

@@ -630,6 +630,26 @@ async function syncReusedWorktree(rootDir, worktreePath, branchName, gitOpts = {
 }
 
 // Find an existing worktree already checked out on a given branch
+// Parse the holder path out of a `git worktree add` "already used" error so
+// callers can give the operator something actionable instead of just re-
+// throwing the raw git message. The two surface forms emitted by current git
+// versions:
+//
+//   fatal: 'work/W-X' is already used by worktree at 'D:/squad'
+//   fatal: 'work/W-X' is already checked out at 'D:/squad'
+//
+// Returns null on unparseable input so callers fall through to the generic
+// re-throw path safely. Path is returned exactly as git printed it (forward
+// or back slashes), since callers compare it against rootDir which is
+// shaped the same way by upstream.
+function _parseAlreadyUsedHolderPath(errMsg) {
+  if (!errMsg) return null;
+  // Match the path inside single quotes after either "already used by worktree at"
+  // or "already checked out at". Non-greedy so we stop at the closing quote.
+  const m = String(errMsg).match(/already (?:used by worktree|checked out) at ['"]([^'"]+)['"]/);
+  return m ? m[1] : null;
+}
+
 async function findExistingWorktree(repoDir, branchName) {
   try {
     const out = await shared.shellSafeGit(['worktree', 'list', '--porcelain'], { cwd: repoDir, timeout: 10000 });
@@ -658,6 +678,65 @@ function isWorktreeRetryableError(err) {
     || msg.includes('already exists');
 }
 
+// Distinct from isWorktreeRetryableError above: that one covers worktree-add
+// LOCAL contention (index lock, file busy, already exists). This one covers
+// `git fetch` NETWORK-side transients where retrying once is cheap and often
+// recovers — network blips, transient TLS errors, github.com 5xx during a
+// fetch. We deliberately do NOT retry on auth failures, repo-not-found, or
+// "couldn't find remote ref" — those won't change on a 1-2s retry, and
+// re-running them just wastes the dispatch budget.
+function _isTransientGitNetworkError(err) {
+  const msg = String(err?.message || '');
+  return msg.includes('ETIMEDOUT')
+    || msg.includes('ECONNRESET')
+    || msg.includes('ECONNREFUSED')
+    || msg.includes('EAI_AGAIN')
+    || msg.includes('Could not resolve host')
+    || msg.includes('Connection reset')
+    || msg.includes('Connection timed out')
+    || msg.includes('Operation timed out')
+    || msg.includes('timed out')
+    || msg.includes('502 Bad Gateway')
+    || msg.includes('503 Service Unavailable')
+    || msg.includes('504 Gateway Timeout')
+    || msg.includes('RPC failed')
+    || msg.includes('HTTP/2 stream');
+}
+
+// Wraps shellSafeGit(['fetch', ...]) with a single retry on transient
+// network errors. Preserves the pre-fix convention that fetch failures
+// are NON-fatal here: we log + swallow the terminal error so the caller
+// falls back to the local ref. The retry just gives transient errors one
+// shot to recover before that fallback kicks in — empirically eliminates
+// most "couldn't find remote ref" cascades downstream caused by a 0-second
+// network blip during the initial fetch.
+//
+// `args` is the array passed to git AFTER 'fetch' (e.g. ['origin', branch]).
+// `label` is a short string used in the log line for triage.
+async function _fetchWithTransientRetry(args, opts, label) {
+  const _attempt = async () => shared.shellSafeGit(['fetch', ...args], opts);
+  try {
+    await _attempt();
+    return true;
+  } catch (e) {
+    if (!_isTransientGitNetworkError(e)) {
+      log('warn', `git fetch ${label}: ${String(e.message || e).split('\n')[0]}`);
+      return false; // swallow non-transient — caller falls back to local ref
+    }
+    const firstMsg = String(e.message || e).split('\n')[0];
+    log('warn', `git fetch ${label}: transient (${firstMsg}) — retrying once after 1.5s`);
+    await new Promise(r => setTimeout(r, 1500));
+    try {
+      await _attempt();
+      log('info', `git fetch ${label}: succeeded on retry`);
+      return true;
+    } catch (e2) {
+      log('warn', `git fetch ${label}: retry also failed (${String(e2.message || e2).split('\n')[0]}) — falling back to local ref`);
+      return false;
+    }
+  }
+}
+
 function removeStaleIndexLock(rootDir) {
   const lockFile = path.join(rootDir, '.git', 'index.lock');
   try {
@@ -1055,6 +1134,62 @@ async function spawnAgent(dispatchItem, config) {
     );
     cleanupTempAgent(agentId);
   };
+  // Atomic read of the dispatch state to detect when another active
+  // dispatch holds `branchName`. Returns the conflicting dispatch object
+  // (or null when none). Uses mutateDispatch for the file-lock read even
+  // though we don't mutate — the snapshot it gives back is consistent
+  // with what a concurrent writer would see. Caller uses the return value
+  // both as a boolean (truthy = conflict) and to extract the other
+  // dispatch's id for the error message.
+  const _isBranchActivelyUsedByOtherDispatch = (branch, currentId) => {
+    if (!branch || !currentId) return null;
+    const targetBranch = sanitizeBranch(branch);
+    let conflict = null;
+    mutateDispatch((dp) => {
+      conflict = (dp.active || []).find(d => {
+        const dBranch = d.meta?.branch ? sanitizeBranch(d.meta.branch) : '';
+        return dBranch === targetBranch && d.id !== currentId;
+      }) || null;
+      return dp;
+    });
+    return conflict;
+  };
+  // Fail-fast handler for the "branch is checked out elsewhere AND prune
+  // couldn't recover it" case. This is the bug class operators hit when the
+  // project root itself (or a sibling worktree we can't see via
+  // findExistingWorktree) is genuinely holding the branch — the existing
+  // "throw eRemote" path retried every tick forever with no surface signal,
+  // and findExistingWorktree deliberately filters out the project root so
+  // the reuse path never fires for that case. Mark the dispatch non-
+  // retryable so the storm stops, and put the holder path in the message
+  // so the operator can see what to do (`git -C <holder> checkout master`
+  // when the holder is the project root, or kill/finish the agent owning
+  // the sibling worktree). Returns truthy when caller should `return null`.
+  const _failBranchHeldByExternalWorktree = (branchName, holderPath, rawErr) => {
+    const isProjectRoot = holderPath && rootDir
+      && path.resolve(holderPath) === path.resolve(rootDir);
+    const summary = isProjectRoot
+      ? `Branch ${branchName} is held by the project root (${holderPath}). Spawning a worktree against it would create a nested checkout. Switch the root back to master to release the branch.`
+      : `Branch ${branchName} is held by an external worktree at ${holderPath} that this engine can't reach (findExistingWorktree filters out paths at-or-inside the project root, and the holder isn't visible to our worktree list). Resolve the lock and retry.`;
+    log('error', `spawnAgent: ${summary}`);
+    _cleanupPromptFiles();
+    completeDispatch(
+      id,
+      DISPATCH_RESULT.ERROR,
+      summary.slice(0, 800),
+      isProjectRoot
+        ? 'Branch held by the project root checkout. Recovery: `git -C <projectRoot> checkout master` (or whichever branch your engine root should be on). Until the root releases the branch, every retry will fail identically.'
+        : 'Branch held externally. Recovery: find the holding worktree (`git worktree list` from the project root), finish or remove it, then re-dispatch.',
+      { failureClass: FAILURE_CLASS.WORKTREE_PREFLIGHT, agentRetryable: false },
+    );
+    cleanupTempAgent(agentId);
+    // Preserve the raw git output in the dispatch log for debugging — kept
+    // as a side log line rather than the summary so the summary stays
+    // actionable.
+    if (rawErr && rawErr.message) {
+      log('debug', `spawnAgent: raw worktree-add failure for ${id}: ${String(rawErr.message).split('\n')[0]}`);
+    }
+  };
   _phaseT.afterPrompt = Date.now();
 
   if (branchName && READ_ONLY_ROOT_TASK_TYPES.has(type)) {
@@ -1173,6 +1308,31 @@ async function spawnAgent(dispatchItem, config) {
         }
       }
 
+      // Pre-add concurrency guard: refuse to attempt `git worktree add` for a
+      // branch that's already in flight under another dispatch. The
+      // post-failure activelyUsed check on the non-shared path further down
+      // still fires for the legitimate-reuse-of-existing-worktree case, but
+      // the pre-add check closes the race window where two concurrent
+      // dispatches both call `git worktree add` on the same branch before
+      // either notices the conflict — and it now also covers the
+      // shared-branch path, which previously had no activelyUsed guard at
+      // all (a human-triggered review on a shared-branch plan item could
+      // blindly reuse the in-flight implement's worktree).
+      const _activelyUsedByOther = _isBranchActivelyUsedByOtherDispatch(branchName, id);
+      if (_activelyUsedByOther) {
+        const summary = `branch ${branchName} is actively used by dispatch ${_activelyUsedByOther.id} — refusing to spawn a concurrent worktree against the same branch`;
+        log('warn', `spawnAgent: ${summary}`);
+        _cleanupPromptFiles();
+        completeDispatch(
+          id,
+          DISPATCH_RESULT.ERROR,
+          summary,
+          'Another dispatch holds this branch right now. This is retryable — the engine will try again on the next tick after the other dispatch completes.',
+        );
+        cleanupTempAgent(agentId);
+        return null;
+      }
+
       try {
         if (!fs.existsSync(worktreePath)) {
           const isSharedBranch = meta?.branchStrategy === 'shared-branch' || meta?.useExistingBranch;
@@ -1183,7 +1343,7 @@ async function spawnAgent(dispatchItem, config) {
 
           if (isSharedBranch) {
             log('info', `Creating worktree for shared branch: ${worktreePath} on ${branchName}`);
-            try { await shared.shellSafeGit(['fetch', 'origin', branchName], { ..._gitOpts, cwd: rootDir }); } catch (e) { log('warn', 'git: ' + e.message); }
+            await _fetchWithTransientRetry(['origin', branchName], { ..._gitOpts, cwd: rootDir }, `origin/${branchName} (shared-branch pre-create)`);
             try {
               await runWorktreeAdd(rootDir, worktreePath, [branchName], _worktreeGitOpts, worktreeCreateRetries);
             } catch (eShared) {
@@ -1205,7 +1365,16 @@ async function spawnAgent(dispatchItem, config) {
                   if (pruned > 0) {
                     log('info', `Pruned ${pruned} stale worktree entry(ies) for shared branch ${branchName}; retrying worktree add`);
                     await runWorktreeAdd(rootDir, worktreePath, [branchName], _worktreeGitOpts, 0);
-                  } else { throw eShared; }
+                  } else {
+                    // Prune returned 0 — the holder is real, not stale metadata.
+                    // findExistingWorktree returned null because the holder is
+                    // at-or-inside the project root (the deliberate filter), or
+                    // because git's view drifted from ours. Surface non-retryably
+                    // with the holder path so the operator can act.
+                    const holder = _parseAlreadyUsedHolderPath(eShared.message);
+                    if (holder) { _failBranchHeldByExternalWorktree(branchName, holder, eShared); return null; }
+                    throw eShared;
+                  }
                 }
               } else if (eShared.message?.includes('invalid reference') || eShared.message?.includes('not a valid ref')) {
                 // Branch doesn't exist yet (first item in plan) — create it from main
@@ -1235,7 +1404,7 @@ async function spawnAgent(dispatchItem, config) {
             if (_branchOnRemote) {
               // Mirror shared-branch fetch+add (~line 1157-1159).
               log('info', `origin/${branchName} exists — checking out remote branch instead of -b from ${mainRef}`);
-              try { await shared.shellSafeGit(['fetch', 'origin', branchName], { ..._gitOpts, cwd: rootDir, timeout: 30000 }); } catch (e) { log('warn', 'git: ' + e.message); }
+              await _fetchWithTransientRetry(['origin', branchName], { ..._gitOpts, cwd: rootDir, timeout: 30000 }, `origin/${branchName} (non-shared pre-create)`);
               try {
                 await runWorktreeAdd(rootDir, worktreePath, [branchName], _worktreeGitOpts, worktreeCreateRetries);
               } catch (eRemote) {
@@ -1267,7 +1436,14 @@ async function spawnAgent(dispatchItem, config) {
                     if (pruned > 0) {
                       log('info', `Pruned ${pruned} stale worktree entry(ies) for ${branchName}; retrying worktree add`);
                       await runWorktreeAdd(rootDir, worktreePath, [branchName], _worktreeGitOpts, 0);
-                    } else { throw eRemote; }
+                    } else {
+                      // Same recovery shape as the shared-branch path above:
+                      // prune was a no-op, so the holder is a real worktree.
+                      // Mark non-retryable with the holder path in the message.
+                      const holder = _parseAlreadyUsedHolderPath(eRemote.message);
+                      if (holder) { _failBranchHeldByExternalWorktree(branchName, holder, eRemote); return null; }
+                      throw eRemote;
+                    }
                   }
                 } else { throw eRemote; }
               }
@@ -1285,12 +1461,12 @@ async function spawnAgent(dispatchItem, config) {
               // the dep-merge phase's own fetch + the on-failure
               // `git reset --hard origin/<mainRef>` recovery remain as safety nets.
               let _freshCreateBase = mainRef;
-              try {
-                await shared.shellSafeGit(['fetch', 'origin', mainRef], { ..._gitOpts, cwd: rootDir, timeout: 30000 });
-                _freshCreateBase = `origin/${mainRef}`;
-              } catch (mainFetchErr) {
-                log('warn', `Failed to fetch origin/${mainRef} before fresh-create worktree for ${branchName}: ${mainFetchErr.message} — falling back to local ${mainRef}`);
-              }
+              const _baseFetchOk = await _fetchWithTransientRetry(
+                ['origin', mainRef],
+                { ..._gitOpts, cwd: rootDir, timeout: 30000 },
+                `origin/${mainRef} (fresh-create base for ${branchName})`
+              );
+              if (_baseFetchOk) _freshCreateBase = `origin/${mainRef}`;
               try {
                 await runWorktreeAdd(rootDir, worktreePath, ['-b', branchName, _freshCreateBase], _worktreeGitOpts, worktreeCreateRetries);
               } catch (e1) {
@@ -1311,7 +1487,7 @@ async function spawnAgent(dispatchItem, config) {
                   }
                 } else {
                   // Branch already exists — try checkout without -b
-                  try { await shared.shellSafeGit(['fetch', 'origin', branchName], { ..._gitOpts, cwd: rootDir }); } catch (e) { log('warn', 'git: ' + e.message); }
+                  await _fetchWithTransientRetry(['origin', branchName], { ..._gitOpts, cwd: rootDir }, `origin/${branchName} (fresh-create fallback)`);
                   try {
                     await runWorktreeAdd(rootDir, worktreePath, [branchName], _worktreeGitOpts, worktreeCreateRetries);
                     log('info', `Reusing existing branch: ${branchName}`);
@@ -5134,6 +5310,39 @@ function discoverFromWorkItems(config, project) {
     const hardPinnedAgent = routing.getHardPinnedAgent(item, config.agents || {});
     const hardPinRequested = !!hardPinnedAgent;
     let agentId = hardPinnedAgent || resolveAgent(workType, config, { agentHints });
+    // W-mpmwxn1j — Per-agent retry threshold. When the same agent has failed
+    // this WI maxRetriesPerAgent times, force-reassign to a different
+    // eligible agent. Hard-pinned agents bypass reassignment (operator
+    // intent wins). If no alternate is available we fall back to the same
+    // agent + write a dated inbox note so the operator can intervene.
+    if (agentId && !hardPinRequested) {
+      const maxPerAgent = shared.resolveMaxRetriesPerAgent(config);
+      const failsForAgent = shared.getAgentRetryCount(item, agentId);
+      if (failsForAgent >= maxPerAgent) {
+        const altAgent = resolveAgent(workType, config, { agentHints, excludeAgent: agentId });
+        if (altAgent && altAgent !== agentId) {
+          log('info', `Per-agent retry threshold reached: ${item.id} reassigning ${agentId} → ${altAgent} (${failsForAgent}/${maxPerAgent} failures by ${agentId})`);
+          agentId = altAgent;
+        } else {
+          // No alternate available — log + inbox note (writeToInbox dedupes
+          // per-day-per-slug, so re-runs in the same day stay quiet).
+          log('warn', `Per-agent retry threshold reached for ${item.id} (${agentId}) but no alternate agent available for work type "${workType}" — falling back to same agent`);
+          try {
+            shared.writeToInbox('engine', `per-agent-retry-no-alternate-${item.id}`,
+              `# Per-agent retry threshold — no alternate available\n\n` +
+              `Work item: \`${item.id}\` — ${item.title || ''}\n\n` +
+              `Agent **${agentId}** has failed this WI ${failsForAgent} times ` +
+              `(threshold: ${maxPerAgent}). The engine attempted to reassign to a ` +
+              `different eligible agent for work type **${workType}** but no alternate was found ` +
+              `(routing.md preferred/fallback both excluded, no idle named agent, ` +
+              `temp agents disabled or budget exhausted). Re-dispatching to **${agentId}** anyway ` +
+              `to avoid deadlock.\n\n` +
+              `Action: review routing.md, add another agent for this work type, or enable ` +
+              `\`allowTempAgents\` so the engine has a fallback target.\n`);
+          } catch (e) { log('warn', 'per-agent retry inbox write failed: ' + e.message); }
+        }
+      }
+    }
     let reservedAgentId = agentId;
     const cfgAgents = config.agents || {};
     const budgetBlocked = Object.keys(cfgAgents).some(id => {
@@ -6339,6 +6548,26 @@ async function tickInner() {
   // 2. Consolidate inbox
   safe('consolidateInbox', () => consolidateInbox(config));
 
+  // 2.1. Auto-consolidate memory — opt-in periodic KB sweep. Inbox→notes
+  // already runs above every tick (threshold-gated); this phase only adds
+  // the KB sweep that was previously dashboard-button-only. Gated by
+  // engine.autoConsolidateMemory; 4h cadence enforced inside shouldAutoSweep().
+  if (config.engine?.autoConsolidateMemory === true) {
+    safe('autoSweepKb', () => {
+      const { shouldAutoSweep, spawnSweepRunnerDetached } = require('./engine/kb-sweep');
+      const decision = shouldAutoSweep();
+      if (!decision.shouldSpawn) return;
+      const result = spawnSweepRunnerDetached({
+        log: (level, msg) => log(level === 'error' ? 'warn' : 'info', `auto-sweep: ${msg}`),
+      });
+      if (result.ok) {
+        log('info', `auto-sweep: spawned KB sweep (reason=${decision.reason}, pid=${result.pid})`);
+      } else {
+        log('warn', `auto-sweep: spawn failed: ${result.error}`);
+      }
+    });
+  }
+
   // 2.5. Periodic cleanup + MCP sync (every 10 ticks = ~5 minutes)
   if (tickCount % 10 === 0) {
     try { await runCleanup(config); } catch (e) { log('warn', `runCleanup: ${e.message}`); }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@yemi33/minions",
-  "version": "0.1.2044",
+  "version": "0.1.2045",
   "description": "Multi-agent AI dev team that runs from ~/.minions/ — five autonomous agents share a single engine, dashboard, and knowledge base",
   "bin": {
     "minions": "bin/minions.js"