@yemi33/minions 0.1.2087 → 0.1.2088

package/docs/security.md

@@ -71,6 +71,29 @@ system. Its threat model:
   - Baseline **security headers** (CSP, `X-Content-Type-Options`,
     `Referrer-Policy`, clickjacking protections) applied to every response
     via `shared.buildSecurityHeaders()`.
+  - **Narrowed `Access-Control-Allow-Origin` on GET/HEAD reads**
+    (P-bfa2c-cors-wildcard). Before this change the dashboard echoed
+    `Access-Control-Allow-Origin: *` on every read response, which let
+    any cross-origin browser page (e.g. `https://attacker.com`) issue
+    `fetch('http://localhost:7331/api/*')` and **read** the JSON body —
+    exposing operator-private state (config, PR data, work items, agent
+    transcripts). The GET/HEAD prelude now echoes ACAO **only** when the
+    request's `Origin` header matches the dashboard's own served origin
+    (`http://localhost:7331`) or an entry in
+    `config.engine.allowedDashboardOrigins` (default `[]`). Requests
+    without an `Origin` header (curl, uptime monitors, Node
+    `http.request`) receive **no** ACAO header — that path was already
+    cross-origin-unreadable and is preserved verbatim. To opt a
+    reverse-proxy origin in, set in `config.json`:
+
+    ```json
+    { "engine": { "allowedDashboardOrigins": ["https://minions.example.com"] } }
+    ```
+
+    Entries are matched verbatim against the request `Origin` header
+    (scheme + host + port; no path, no wildcards). See
+    `shared.isAllowedDashboardOrigin()` in
+    [`engine/shared.js`](../engine/shared.js).
 
 ### Residual risks tracked elsewhere
 

package/engine/ado.js

@@ -6,7 +6,7 @@
 const path = require('path');
 const childProcess = require('child_process');
 const shared = require('./shared');
-const { exec, execAsync, getAdoOrgBase, log, ts, dateStamp, PR_STATUS, createThrottleTracker } = shared;
+const { exec, execAsync, getAdoOrgBase, log, ts, dateStamp, PR_STATUS, BUILD_STATUS, REVIEW_STATUS, FETCH_TIMEOUT_MS, ADO_TOKEN_REFRESH_MAX_RETRIES, createThrottleTracker } = shared;
 const { getPrs } = require('./queries');
 const { mutateJsonFileLocked } = shared;
 const { acquireAdoToken } = require('./ado-token');
@@ -396,16 +396,16 @@ function applyAdoPrMetadata(pr, prData) {
 
 /** Classify an array of ADO build records into a single status string. */
 function classifyBuildStatus(prBuilds) {
-  if (!prBuilds.length) return 'none';
+  if (!prBuilds.length) return BUILD_STATUS.NONE;
   // partiallySucceeded = warnings, not failures — counts as passing
   const hasFailed = prBuilds.some(b => b.result === 'failed' || b.result === 'canceled');
   const allDone = prBuilds.every(b => b.status === 'completed');
   const allPassed = prBuilds.every(b => b.result === 'succeeded' || b.result === 'partiallySucceeded');
   const hasRunning = prBuilds.some(b => b.status === 'inProgress' || b.status === 'notStarted');
-  if (hasFailed && allDone) return 'failing';
-  if (allDone && allPassed) return 'passing';
-  if (hasRunning) return 'running';
-  return 'none';
+  if (hasFailed && allDone) return BUILD_STATUS.FAILING;
+  if (allDone && allPassed) return BUILD_STATUS.PASSING;
+  if (hasRunning) return BUILD_STATUS.RUNNING;
+  return BUILD_STATUS.NONE;
 }
 
 /**
@@ -424,10 +424,10 @@ function classifyBuildStatus(prBuilds) {
  */
 function classifyStaleBuilds(allBuilds, cachedBuildStatus) {
   const staleStatus = classifyBuildStatus(allBuilds);
-  if (staleStatus === 'failing') {
-    return { buildStatus: 'failing', buildStaleMergeCommit: true };
+  if (staleStatus === BUILD_STATUS.FAILING) {
+    return { buildStatus: BUILD_STATUS.FAILING, buildStaleMergeCommit: true };
   }
-  return { buildStatus: cachedBuildStatus || 'none', buildStaleMergeCommit: false };
+  return { buildStatus: cachedBuildStatus || BUILD_STATUS.NONE, buildStaleMergeCommit: false };
 }
 
 /**
@@ -474,10 +474,10 @@ async function queueFreshAdoBuild({ orgBase, project, prNumber, definitionId, to
 
 /** Map ADO reviewer vote array to a review status string. */
 function votesToReviewStatus(votes) {
-  if (votes.some(v => v === -10)) return 'changes-requested';
-  if (votes.some(v => v >= 5)) return 'approved';
-  if (votes.some(v => v === -5)) return 'waiting';
-  return 'pending';
+  if (votes.some(v => v === -10)) return REVIEW_STATUS.CHANGES_REQUESTED;
+  if (votes.some(v => v >= 5)) return REVIEW_STATUS.APPROVED;
+  if (votes.some(v => v === -5)) return REVIEW_STATUS.WAITING;
+  return REVIEW_STATUS.PENDING;
 }
 
 // ─── Reviewer Vote Snapshots (W-mpg58wv3) ────────────────────────────────────
@@ -735,7 +735,7 @@ async function adoFetch(url, token, opts = {}) {
   const method = (typeof opts === 'object' && opts.method) || 'GET';
   const body = (typeof opts === 'object' && opts.body) || undefined;
   const timeout = (typeof opts === 'object' && Number.isFinite(opts.timeout)) ? opts.timeout : 30000;
-  const MAX_RETRIES = 1;
+  const MAX_RETRIES = ADO_TOKEN_REFRESH_MAX_RETRIES;
   const res = await fetch(url, {
     method,
     headers: { 'Authorization': `Bearer ${token}`, 'Content-Type': 'application/json' },
@@ -936,8 +936,8 @@ async function forEachActivePr(config, token, callback) {
           if (idx >= 0) {
             // Never downgrade reviewStatus from 'approved' — it's a permanent terminal state
             // The disk version may have been set to 'approved' by another writer after we read
-            if (currentPrs[idx].reviewStatus === 'approved' && after.reviewStatus !== 'approved') {
-              after.reviewStatus = 'approved';
+            if (currentPrs[idx].reviewStatus === REVIEW_STATUS.APPROVED && after.reviewStatus !== REVIEW_STATUS.APPROVED) {
+              after.reviewStatus = REVIEW_STATUS.APPROVED;
             }
             shared.applyPrFieldDelta(currentPrs[idx], before, after);
           }
@@ -1016,12 +1016,12 @@ async function pollPrStatus(config) {
       }
 
       if (newStatus === PR_STATUS.MERGED || newStatus === PR_STATUS.ABANDONED) {
-        if (pr.reviewStatus === 'waiting') {
-          pr.reviewStatus = newStatus === PR_STATUS.MERGED ? 'approved' : 'pending';
+        if (pr.reviewStatus === REVIEW_STATUS.WAITING) {
+          pr.reviewStatus = newStatus === PR_STATUS.MERGED ? REVIEW_STATUS.APPROVED : REVIEW_STATUS.PENDING;
           log('info', `PR ${pr.id} reviewStatus: waiting → ${pr.reviewStatus} (${newStatus})`);
         }
         // Clear stale build status — checks won't be polled after close
-        if (pr.buildStatus && pr.buildStatus !== 'none') {
+        if (pr.buildStatus && pr.buildStatus !== BUILD_STATUS.NONE) {
           delete pr.buildStatus;
           delete pr.buildFailReason;
           delete pr.buildErrorLog;
@@ -1063,7 +1063,7 @@ async function pollPrStatus(config) {
         // F6 not yet shipped (field absent).
         delete pr.humanFeedback.editsSeen;
         pr.fixDispatched = false;
-        if (pr.reviewStatus !== 'approved') pr.reviewStatus = 'pending';
+        if (pr.reviewStatus !== REVIEW_STATUS.APPROVED) pr.reviewStatus = REVIEW_STATUS.PENDING;
         log('info', `PR ${pr.id} reopened — reset transient state (reviewStatus=${pr.reviewStatus})`);
       }
     }
@@ -1156,10 +1156,10 @@ async function pollPrStatus(config) {
 
     const reviewers = prData.reviewers || [];
     const votes = reviewers.map(r => r.vote).filter(v => v !== undefined);
-    let newReviewStatus = pr.reviewStatus || 'pending';
+    let newReviewStatus = pr.reviewStatus || REVIEW_STATUS.PENDING;
     // Once approved, it stays approved permanently
-    if (pr.reviewStatus === 'approved') {
-      newReviewStatus = 'approved';
+    if (pr.reviewStatus === REVIEW_STATUS.APPROVED) {
+      newReviewStatus = REVIEW_STATUS.APPROVED;
       // Re-approve: ADO resets votes when target branch (master) advances, even though
       // the source branch is unchanged. Re-apply the approval vote via API.
       if (!votes.some(v => v >= 5) && sourceCommit && pr._adoSourceCommit === sourceCommit) {
@@ -1176,15 +1176,15 @@ async function pollPrStatus(config) {
       }
     } else if (votes.length > 0) {
       if (votes.some(v => v === -10)) {
-        if (pr.reviewStatus === 'waiting' && pr.minionsReview?.fixedAt && (!pr.lastPushedAt || pr.lastPushedAt <= pr.minionsReview.fixedAt)) {
-          newReviewStatus = 'waiting';
+        if (pr.reviewStatus === REVIEW_STATUS.WAITING && pr.minionsReview?.fixedAt && (!pr.lastPushedAt || pr.lastPushedAt <= pr.minionsReview.fixedAt)) {
+          newReviewStatus = REVIEW_STATUS.WAITING;
         } else {
-          newReviewStatus = 'changes-requested';
+          newReviewStatus = REVIEW_STATUS.CHANGES_REQUESTED;
         }
       }
-      else if (votes.some(v => v >= 5)) newReviewStatus = 'approved';
-      else if (votes.some(v => v === -5)) newReviewStatus = 'waiting';
-      else newReviewStatus = 'pending';
+      else if (votes.some(v => v >= 5)) newReviewStatus = REVIEW_STATUS.APPROVED;
+      else if (votes.some(v => v === -5)) newReviewStatus = REVIEW_STATUS.WAITING;
+      else newReviewStatus = REVIEW_STATUS.PENDING;
     }
 
     // Store human reviewer names who approved or requested changes
@@ -1215,7 +1215,7 @@ async function pollPrStatus(config) {
     // inbox warning only; never touches the vote, never auto-dispatches,
     // never posts a comment. See engine/ado-vote-snapshots.json for storage.
     try {
-      const identityData = await adoFetch(`${orgBase}/_apis/connectionData?api-version=7.1`, token, { timeout: 4000 }).catch(() => null);
+      const identityData = await adoFetch(`${orgBase}/_apis/connectionData?api-version=7.1`, token, { timeout: FETCH_TIMEOUT_MS.ADO_API }).catch(() => null);
       const myId = identityData?.authenticatedUser?.id;
       if (myId) {
         const myReviewer = reviewers.find(r => String(r?.id || '').toLowerCase() === String(myId).toLowerCase());
@@ -1257,7 +1257,7 @@ async function pollPrStatus(config) {
     // merge commit (same ref accumulates builds across all prior pushes to the PR).
     const prNumber = pr.prNumber;
     const mergeCommitId = prData.lastMergeCommit?.commitId;
-    let buildStatus = pr.buildStatus || 'none';
+    let buildStatus = pr.buildStatus || BUILD_STATUS.NONE;
     let buildFailReason = pr.buildFailReason || '';
     let buildFailureSignature = pr.buildFailureSignature || '';
     let buildStatusResolved = true;
@@ -1277,12 +1277,12 @@ async function pollPrStatus(config) {
           const buildsData = await adoFetch(buildsUrl, token);
           const allBuilds = buildsData?.value || [];
           const prBuilds = allBuilds.filter(b => b.sourceVersion === mergeCommitId);
-          buildStatus = 'none';
+          buildStatus = BUILD_STATUS.NONE;
           buildFailReason = '';
 
           if (prBuilds.length > 0) {
             buildStatus = classifyBuildStatus(prBuilds);
-            if (buildStatus === 'failing') {
+            if (buildStatus === BUILD_STATUS.FAILING) {
               const failed = prBuilds.find(b => b.result === 'failed');
               buildFailReason = failed?.definition?.name || 'Build failed';
               buildFailureSignature = shared.safeSlugComponent([
@@ -1332,11 +1332,11 @@ async function pollPrStatus(config) {
         } catch (e) {
           buildStatusResolved = false;
           buildStatusStaleDetail = `ADO build query failed: ${e.message}`;
-          log('warn', `ADO build query for ${pr.id}: ${e.message}; preserving previous buildStatus '${pr.buildStatus || 'none'}'`);
+          log('warn', `ADO build query for ${pr.id}: ${e.message}; preserving previous buildStatus '${pr.buildStatus || BUILD_STATUS.NONE}'`);
         }
       }
     } else {
-      buildStatus = 'none';
+      buildStatus = BUILD_STATUS.NONE;
       buildFailReason = '';
     }
 
@@ -1357,7 +1357,7 @@ async function pollPrStatus(config) {
 
     if (buildStatusResolved) {
       if (pr.buildStatus !== buildStatus) {
-        log('info', `PR ${pr.id} build: ${pr.buildStatus || 'none'} → ${buildStatus}${buildFailReason ? ' (' + buildFailReason + ')' : ''}`);
+        log('info', `PR ${pr.id} build: ${pr.buildStatus || BUILD_STATUS.NONE} → ${buildStatus}${buildFailReason ? ' (' + buildFailReason + ')' : ''}`);
         pr.buildStatus = buildStatus;
         if (buildFailReason) pr.buildFailReason = buildFailReason;
         else delete pr.buildFailReason;
@@ -1365,8 +1365,8 @@ async function pollPrStatus(config) {
         else delete pr.buildFailureSignature;
         // Build transitioned — clear grace period and auto-complete flag
         delete pr._buildFixPushedAt;
-        if (buildStatus === 'failing') delete pr._autoCompleted;
-        if (buildStatus !== 'failing') {
+        if (buildStatus === BUILD_STATUS.FAILING) delete pr._autoCompleted;
+        if (buildStatus !== BUILD_STATUS.FAILING) {
           delete pr._buildFailNotified;
           delete pr._buildStatusStale;
           delete pr._buildStatusDetail;
@@ -1376,7 +1376,7 @@ async function pollPrStatus(config) {
           // update but no new builds have been triggered yet (filter by sourceVersion
           // returns []), which previously wiped the last known error log and caused
           // fix agents to be dispatched blind.
-          if (buildStatus === 'passing') {
+          if (buildStatus === BUILD_STATUS.PASSING) {
             delete pr.buildErrorLog;
             delete pr.buildFailureSignature;
             // Reset build fix retry counter on recovery — allows fresh auto-fix cycles if build breaks again
@@ -1385,7 +1385,7 @@ async function pollPrStatus(config) {
         }
         updated = true;
       }
-      if (buildStatus === 'failing') {
+      if (buildStatus === BUILD_STATUS.FAILING) {
         if (buildFailReason && pr.buildFailReason !== buildFailReason) {
           pr.buildFailReason = buildFailReason;
           updated = true;
@@ -1415,7 +1415,7 @@ async function pollPrStatus(config) {
     // one queue per PR per 30 min via pr._lastBuildRequeueAt. Only PR-
     // validation definitions are queued; non-PR builds are filtered out
     // upstream. Failures are non-fatal — logged warn and skipped.
-    if (buildStatusResolved && buildStatus === 'failing' && buildStaleMergeCommit && staleFailingDefinitions.length > 0) {
+    if (buildStatusResolved && buildStatus === BUILD_STATUS.FAILING && buildStaleMergeCommit && staleFailingDefinitions.length > 0) {
       if (shouldRequeueStaleBuild(pr)) {
         let queuedCount = 0;
         for (const def of staleFailingDefinitions) {
@@ -1439,7 +1439,7 @@ async function pollPrStatus(config) {
     }
 
     // Auto-complete: set auto-complete on PR when builds green + review approved
-    if (pr.status === PR_STATUS.ACTIVE && pr.reviewStatus === 'approved' && pr.buildStatus === 'passing' && !pr._autoCompleted) {
+    if (pr.status === PR_STATUS.ACTIVE && pr.reviewStatus === REVIEW_STATUS.APPROVED && pr.buildStatus === BUILD_STATUS.PASSING && !pr._autoCompleted) {
       const autoComplete = config.engine?.autoCompletePrs === true; // opt-in
       if (autoComplete) {
         try {
@@ -1806,7 +1806,7 @@ async function reconcilePrs(config) {
             title: (adoPr.title || `PR #${adoPr.pullRequestId}`).slice(0, 120),
             agent: (linkedItem?.dispatched_to || adoPr.createdBy?.displayName || 'unknown').toLowerCase(),
             branch,
-            reviewStatus: 'pending',
+            reviewStatus: REVIEW_STATUS.PENDING,
             status: 'active',
             created: adoPr.creationDate || ts(),
             url: prUrl,
@@ -1832,7 +1832,7 @@ async function reconcilePrs(config) {
         title: (adoPr.title || `PR #${adoPr.pullRequestId}`).slice(0, 120),
         agent: (linkedItem?.dispatched_to || adoPr.createdBy?.displayName || 'unknown').toLowerCase(),
         branch,
-        reviewStatus: 'pending',
+        reviewStatus: REVIEW_STATUS.PENDING,
         status: 'active',
         created: adoPr.creationDate || ts(),
         url: prUrl,
@@ -1900,7 +1900,7 @@ async function checkLiveReviewStatus(pr, project) {
     // SEC-02: use in-process adoFetch rather than a shell-out — keeps the bearer
     // token out of the process argv list where any local process could read it.
     // 4s timeout preserves the original request-cancellation semantics via AbortSignal.
-    const prData = await adoFetch(url, token, { timeout: 4000 });
+    const prData = await adoFetch(url, token, { timeout: FETCH_TIMEOUT_MS.ADO_API });
     if (!prData) return null;
     const votes = (prData.reviewers || []).map(r => r.vote).filter(v => v !== undefined);
     if (votes.length === 0) return 'pending';
@@ -1965,10 +1965,10 @@ async function resetReviewerNegativeVote(pr, project) {
     const repoBase = `${orgBase}/${project.adoProject}/_apis/git/repositories/${encodedRepoId}`;
     const prUrl = `${repoBase}/pullrequests/${prNum}?api-version=7.1`;
     // 4s timeout — same budget as checkLiveReviewStatus.
-    const prData = await adoFetch(prUrl, token, { timeout: 4000 });
+    const prData = await adoFetch(prUrl, token, { timeout: FETCH_TIMEOUT_MS.ADO_API });
     if (!prData) return null;
     // Identify our authenticated reviewer entry.
-    const identityData = await adoFetch(`${orgBase}/_apis/connectionData?api-version=7.1`, token, { timeout: 4000 }).catch(() => null);
+    const identityData = await adoFetch(`${orgBase}/_apis/connectionData?api-version=7.1`, token, { timeout: FETCH_TIMEOUT_MS.ADO_API }).catch(() => null);
     const myId = identityData?.authenticatedUser?.id;
     if (!myId) return null;
     const myReviewer = (prData.reviewers || []).find(r => String(r?.id || '').toLowerCase() === String(myId).toLowerCase());
@@ -1988,7 +1988,7 @@ async function resetReviewerNegativeVote(pr, project) {
     await adoFetch(`${repoBase}/pullrequests/${prNum}/reviewers/${myId}?api-version=7.1`, token, {
       method: 'PUT',
       body: JSON.stringify({ vote: 10 }),
-      timeout: 4000,
+      timeout: FETCH_TIMEOUT_MS.ADO_API,
     });
     log('info', `PR ${pr.id}: reset reviewer vote ${myVote} → 10 on verdict flip`);
     return { attempted: true, changed: true, fromVote: myVote, toVote: 10 };
@@ -2041,7 +2041,7 @@ async function checkLiveBuildAndConflict(pr, project) {
     // 4s timeout — same budget as checkLiveReviewStatus. This is a pre-dispatch
     // gate; we'd rather miss a freshness signal and fall back to cache than
     // block dispatch on a slow ADO call.
-    const prData = await adoFetch(prUrl, token, { timeout: 4000 });
+    const prData = await adoFetch(prUrl, token, { timeout: FETCH_TIMEOUT_MS.ADO_API });
     if (!prData) return null;
 
     // Conflict signal — ADO reports `mergeStatus: 'conflicts'` when the merge
@@ -2058,7 +2058,7 @@ async function checkLiveBuildAndConflict(pr, project) {
     if (prData.status === 'active') {
       const mergeCommitId = prData.lastMergeCommit?.commitId;
       if (mergeCommitId) {
-        const buildRepositoryGuid = await resolveAdoBuildRepositoryGuid(project, token, orgBase, 'ADO live build check', { timeout: 4000 });
+        const buildRepositoryGuid = await resolveAdoBuildRepositoryGuid(project, token, orgBase, 'ADO live build check', { timeout: FETCH_TIMEOUT_MS.ADO_API });
         if (!buildRepositoryGuid) {
           buildStatusStale = true;
           buildStatusDetail = 'ADO Builds API requires a repository GUID; repository GUID could not be resolved from project.repositoryId/project.repoName';
@@ -2066,13 +2066,13 @@ async function checkLiveBuildAndConflict(pr, project) {
           try {
             const mergeRef = encodeURIComponent(`refs/pull/${prNum}/merge`);
             const buildsUrl = `${orgBase}/${project.adoProject}/_apis/build/builds?branchName=${mergeRef}&repositoryId=${encodeURIComponent(buildRepositoryGuid)}&repositoryType=TfsGit&$top=25&api-version=7.1`;
-            const buildsData = await adoFetch(buildsUrl, token, { timeout: 4000 });
+            const buildsData = await adoFetch(buildsUrl, token, { timeout: FETCH_TIMEOUT_MS.ADO_API });
             const allBuilds = buildsData?.value || [];
             const prBuilds = allBuilds.filter(b => b.sourceVersion === mergeCommitId);
             if (prBuilds.length > 0) {
               buildStatus = classifyBuildStatus(prBuilds);
             } else if (allBuilds.length === 0) {
-              buildStatus = 'none';
+              buildStatus = BUILD_STATUS.NONE;
             } else {
               // Stale merge-commit (Issue #2747) — mirror pollPrStatus.
               // Stale-failing flips to 'failing' + buildStaleMergeCommit so
@@ -2095,7 +2095,7 @@ async function checkLiveBuildAndConflict(pr, project) {
       } else {
         // No merge commit yet — likely conflict or fresh PR. Treat as 'none'
         // so a stale 'failing' cache can be cleared by the caller.
-        buildStatus = 'none';
+        buildStatus = BUILD_STATUS.NONE;
       }
     }
 
@@ -2182,7 +2182,7 @@ async function fetchSinglePrBuildStatus(project, prNumber) {
   let buildStatus = buildStatusStale ? null : classifyBuildStatus(prBuilds);
   let buildErrorLog = null;
 
-  if (buildStatus === 'failing') {
+  if (buildStatus === BUILD_STATUS.FAILING) {
     try {
       const failedBuilds = prBuilds.filter(b => b.result === 'failed').map(b => ({
         state: 'failed', _buildId: String(b.id),

package/engine/cli.js

@@ -6,7 +6,7 @@
 const fs = require('fs');
 const path = require('path');
 const shared = require('./shared');
-const { safeRead, safeJson, safeWrite, mutateControl, mutateWorkItems, ts, WI_STATUS, WORK_TYPE, PLAN_STATUS, PR_STATUS, DISPATCH_RESULT } = shared;
+const { safeRead, safeJson, safeWrite, mutateControl, mutateWorkItems, ts, WI_STATUS, WORK_TYPE, PLAN_STATUS, PR_STATUS, REVIEW_STATUS, DISPATCH_RESULT } = shared;
 const queries = require('./queries');
 const { getConfig, getControl, getDispatch, getAgentStatus,
   MINIONS_DIR, ENGINE_DIR, AGENTS_DIR, PLANS_DIR, PRD_DIR, CONTROL_PATH, DISPATCH_PATH } = queries;
@@ -471,41 +471,6 @@ const commands = {
     try { shared.applyLegacyCcModelMigration(config, { logger: e.log }); }
     catch (err) { e.log('warn', `legacy ccModel migration failed: ${err.message}`); }
 
-    // Drop persisted statusWorkItemsRetentionDays=7 (the prior baked-in default)
-    // so the new default of 0 (no trim) reaches installs that opened Settings
-    // before the flip. Explicit non-7 values are preserved. We mutate in-memory
-    // AND rewrite config.json so the fix is permanent — the shim in shared.js
-    // can then retire on schedule without users regressing.
-    try {
-      const applied = shared.applyStatusWorkItemsRetentionMigration(config, { logger: e.log });
-      if (applied) {
-        const configPath = path.join(shared.MINIONS_DIR, 'config.json');
-        shared.mutateJsonFileLocked(configPath, (onDisk) => {
-          if (onDisk && onDisk.engine && onDisk.engine.statusWorkItemsRetentionDays === 7) {
-            delete onDisk.engine.statusWorkItemsRetentionDays;
-          }
-          return onDisk;
-        }, { defaultValue: {}, skipWriteIfUnchanged: true });
-      }
-    }
-    catch (err) { e.log('warn', `statusWorkItemsRetentionDays migration failed: ${err.message}`); }
-
-    // Same treatment for statusMeetingsRetentionDays — the meetings slice had
-    // the same 7-day baked-in default and the same data-loss UX.
-    try {
-      const applied = shared.applyStatusMeetingsRetentionMigration(config, { logger: e.log });
-      if (applied) {
-        const configPath = path.join(shared.MINIONS_DIR, 'config.json');
-        shared.mutateJsonFileLocked(configPath, (onDisk) => {
-          if (onDisk && onDisk.engine && onDisk.engine.statusMeetingsRetentionDays === 7) {
-            delete onDisk.engine.statusMeetingsRetentionDays;
-          }
-          return onDisk;
-        }, { defaultValue: {}, skipWriteIfUnchanged: true });
-      }
-    }
-    catch (err) { e.log('warn', `statusMeetingsRetentionDays migration failed: ${err.message}`); }
-
     // Auto-heal projects missing workSources (cloned-repo / hand-rolled-config
     // footgun): without this block, discoverFromWorkItems / discoverFromPrs
     // bail silently and the engine looks healthy but never dispatches. The
@@ -1604,8 +1569,8 @@ const commands = {
         }
         if (exists && name === 'pullRequests') {
           const prs = safeJson(filePath) || [];
-          const pending = prs.filter(p => p.status === PR_STATUS.ACTIVE && (p.reviewStatus === 'pending' || p.reviewStatus === 'waiting'));
-          const needsFix = prs.filter(p => p.status === PR_STATUS.ACTIVE && p.reviewStatus === 'changes-requested');
+          const pending = prs.filter(p => p.status === PR_STATUS.ACTIVE && (p.reviewStatus === REVIEW_STATUS.PENDING || p.reviewStatus === REVIEW_STATUS.WAITING));
+          const needsFix = prs.filter(p => p.status === PR_STATUS.ACTIVE && p.reviewStatus === REVIEW_STATUS.CHANGES_REQUESTED);
           console.log(`    PRs: ${pending.length} pending review, ${needsFix.length} need fixes`);
         }
         if (exists && name === 'workItems') {

package/engine/db/index.js

@@ -25,7 +25,7 @@ function _resolveDbPath() {
   // Lazy-require shared/queries so this module can be safely required
   // before MINIONS_DIR is computed (e.g. in tests). Falls back to
   // process.env.MINIONS_HOME when available.
-  const envHome = process.env.MINIONS_HOME || process.env.MINIONS_TEST_DIR;
+  const envHome = process.env.MINIONS_TEST_DIR || process.env.MINIONS_HOME;
   let minionsDir = envHome;
   if (!minionsDir) {
     try { minionsDir = require('../shared').MINIONS_DIR; } catch { /* shared not loaded */ }

package/engine/db/migrations/002-dispatches.js

@@ -24,7 +24,7 @@ const path = require('path');
 const fs = require('fs');
 
 function _resolveMinionsDir() {
-  const envHome = process.env.MINIONS_HOME || process.env.MINIONS_TEST_DIR;
+  const envHome = process.env.MINIONS_TEST_DIR || process.env.MINIONS_HOME;
   if (envHome) return envHome;
   try { return require('../../shared').MINIONS_DIR; } catch { return null; }
 }

package/engine/db/migrations/003-work-items.js

@@ -20,7 +20,7 @@ const path = require('path');
 const fs = require('fs');
 
 function _resolveMinionsDir() {
-  const envHome = process.env.MINIONS_HOME || process.env.MINIONS_TEST_DIR;
+  const envHome = process.env.MINIONS_TEST_DIR || process.env.MINIONS_HOME;
   if (envHome) return envHome;
   try { return require('../../shared').MINIONS_DIR; } catch { return null; }
 }

package/engine/db/migrations/004-pull-requests.js

@@ -21,7 +21,7 @@ const path = require('path');
 const fs = require('fs');
 
 function _resolveMinionsDir() {
-  const envHome = process.env.MINIONS_HOME || process.env.MINIONS_TEST_DIR;
+  const envHome = process.env.MINIONS_TEST_DIR || process.env.MINIONS_HOME;
   if (envHome) return envHome;
   try { return require('../../shared').MINIONS_DIR; } catch { return null; }
 }

package/engine/dispatch.js

@@ -967,7 +967,13 @@ function cleanDispatchEntries(matchFn) {
   const filesToDelete = [];
   const dispatchDirsToRemove = [];
   try {
-    mutateJsonFileLocked(DISPATCH_PATH, (dispatch) => {
+    // Route through mutateDispatch so the SQL-backed store (Phase 1) and the
+    // dispatch.json mirror stay coherent. Writing dispatch.json directly with
+    // mutateJsonFileLocked here would leave stale rows in the `dispatches`
+    // table; the very next mutateDispatch call (e.g. removeProject's
+    // step 7.5 orphan-tagging pass) would then mirror SQL back to JSON and
+    // resurrect the entries we just drained.
+    mutateDispatch((dispatch) => {
       for (const queue of ['pending', 'active', 'completed']) {
         dispatch[queue] = Array.isArray(dispatch[queue]) ? dispatch[queue] : [];
         const before = dispatch[queue].length;
@@ -1000,7 +1006,7 @@ function cleanDispatchEntries(matchFn) {
         removed += before - dispatch[queue].length;
       }
       return dispatch;
-    }, { defaultValue: { pending: [], active: [], completed: [] } });
+    });
   } catch { return 0; }
   // Kill processes outside the lock — taskkill on Windows can take hundreds of ms
   for (const pid of pidsToKill) {