@yemi33/minions 0.1.2122 → 0.1.2124

package/engine/lifecycle.js

@@ -14,6 +14,7 @@ const { trackEngineUsage } = require('./llm');
 const { resolveRuntime } = require('./runtimes');
 const adoGitAuth = require('./ado-git-auth');
 const queries = require('./queries');
+const harness = require('./harness');
 const { isBranchActive } = require('./cooldown');
 const { worktreeMatchesBranch, getWorktreeBranch, cleanupMergedPrLocalBranch } = require('./cleanup');
 const { getConfig, getInboxFiles, getNotes, getPrs, getDispatch,
@@ -4040,6 +4041,82 @@ function handleDecompositionResult(stdout, meta, config, runtimeName) {
   return 0;
 }
 
+/**
+ * Tri-agent harness mode (W-mq07a9gf000jbc2b): when an evaluator completes,
+ * parse its verdict against the configured rubric/threshold and — if the
+ * artifact didn't pass and the iteration cap hasn't been hit — append a
+ * fresh Generator+Evaluator pair so the harness can iterate on its own
+ * artifact. Returns the number of work items appended (0 = terminal stop,
+ * either pass or cap reached).
+ *
+ * Called from runPostCompletionHooks after a successful run when the
+ * dispatched item carries _harness.role === 'evaluator'.
+ */
+function handleHarnessIterationResult(stdout, structuredCompletion, meta, config) {
+  const evaluatorItem = meta?.item;
+  if (!evaluatorItem?._harness || evaluatorItem._harness.role !== harness.HARNESS_ROLE.EVALUATOR) return 0;
+
+  let verdict;
+  try {
+    verdict = harness.parseEvaluatorVerdict(stdout || '', structuredCompletion || null);
+  } catch (err) {
+    log('warn', `Harness ${evaluatorItem._harness.missionId}: verdict parse failed — ${err.message}; treating as terminal stop`);
+    return 0;
+  }
+
+  if (!harness.shouldIterateAgain(evaluatorItem._harness, verdict)) {
+    const reason = verdict.pass === true ? 'passed' :
+      (evaluatorItem._harness.iteration >= evaluatorItem._harness.maxIterations ? 'max iterations reached' :
+      'inconclusive verdict');
+    log('info', `Harness mission ${evaluatorItem._harness.missionId} terminal stop (iteration ${evaluatorItem._harness.iteration}, ${reason}, score=${verdict.score ?? 'n/a'})`);
+    return 0;
+  }
+
+  let nextItems;
+  try {
+    nextItems = harness.createIterationWorkItems(evaluatorItem, verdict, {});
+  } catch (err) {
+    log('warn', `Harness ${evaluatorItem._harness.missionId}: iteration build failed — ${err.message}`);
+    return 0;
+  }
+  if (!Array.isArray(nextItems) || nextItems.length === 0) return 0;
+
+  // Mirror handleDecompositionResult: scan central + per-project work-items.json
+  // and append into the file that owns the evaluator (the trio always lands in
+  // the central file in practice — scheduler.discoverScheduledWork writes
+  // directly to engine/work-items.json via engine.js — but iterate defensively).
+  const projects = shared.getProjects(config);
+  const allPaths = [path.join(MINIONS_DIR, 'work-items.json')];
+  for (const p of projects) allPaths.push(shared.projectWorkItemsPath(p));
+
+  let appendedTo = null;
+  for (const wiPath of allPaths) {
+    let found = false;
+    mutateJsonFileLocked(wiPath, data => {
+      if (!Array.isArray(data)) return data;
+      const evaluator = data.find(i => i.id === evaluatorItem.id);
+      if (!evaluator) return data;
+      found = true;
+      // De-dupe by id in case a previous tick already appended the next pair.
+      const existingIds = new Set(data.map(i => i.id));
+      for (const it of nextItems) {
+        if (existingIds.has(it.id)) continue;
+        data.push(it);
+      }
+      return data;
+    }, { defaultValue: [] });
+    if (found) { appendedTo = wiPath; break; }
+  }
+
+  if (!appendedTo) {
+    log('warn', `Harness ${evaluatorItem._harness.missionId}: evaluator ${evaluatorItem.id} not found in any work-items.json — iteration skipped`);
+    return 0;
+  }
+
+  log('info', `Harness mission ${evaluatorItem._harness.missionId} iterating: appended ${nextItems.length} work items (next iteration: ${nextItems[0]._harness.iteration}, score=${verdict.score ?? 'n/a'})`);
+  return nextItems.length;
+}
+
 /**
  * W-mpg58wv3 — auto-dispatch a re-review WI when a fix-WI born from a minion
  * REQUEST_CHANGES marks done. Closure-loop for the shared Yemi reviewer slot:
@@ -4386,6 +4463,19 @@ async function runPostCompletionHooks(dispatchItem, agentId, code, stdout, confi
     }
   }
 
+  // Tri-agent harness iteration (W-mq07a9gf000jbc2b): if the evaluator just
+  // completed successfully and verdict says retry, append the next Gen+Eval
+  // pair into the same work-items.json. Engine will dispatch them on the
+  // next tick. No interaction with skipDoneStatus — the evaluator itself
+  // still marks DONE; iteration is a sibling write, not a parent decomp.
+  if (effectiveSuccess && meta?.item?._harness?.role === harness.HARNESS_ROLE.EVALUATOR) {
+    try {
+      handleHarnessIterationResult(stdout, structuredCompletion, meta, config);
+    } catch (err) {
+      log('warn', `Harness iteration hook failed for ${meta.item.id}: ${err.message}`);
+    }
+  }
+
   // Verify review work items include a verdict — must run BEFORE updateWorkItemStatus(DONE),
   // same pattern as plan-to-prd (#893): updateWorkItemStatus deletes _retryCount, so the check
   // must read/increment it before that happens. Also sets skipDoneStatus so completedAt isn't
@@ -5204,6 +5294,7 @@ module.exports = {
   isPrAttachmentRequired,
   extractDecompositionJson,
   handleDecompositionResult,
+  handleHarnessIterationResult,
   processCompletionFollowups,
   // W-mpg58wv3 — closure-loop dispatch helpers (exported for testing).
   dispatchReReviewForFix,

package/engine/scheduler.js

@@ -25,7 +25,8 @@ const fs = require('fs');
 const path = require('path');
 const shared = require('./shared');
 const routing = require('./routing');
-const { safeJson, safeWrite, mutateJsonFileLocked, mutateScheduleRuns, ts, dateStamp, WI_STATUS, WORK_TYPE } = shared;
+const harness = require('./harness');
+const { safeJson, safeWrite, mutateJsonFileLocked, mutateScheduleRuns, ts, dateStamp, log, WI_STATUS, WORK_TYPE } = shared;
 
 const SCHEDULE_RUNS_PATH = path.join(shared.MINIONS_DIR, 'engine', 'schedule-runs.json');
 
@@ -186,9 +187,9 @@ function createScheduledWorkItem(sched) {
   };
 }
 
-function writeScheduleRunEntry(runs, scheduleId, workItemId) {
+function writeScheduleRunEntry(runs, scheduleId, workItemId, extra) {
   const existing = typeof runs[scheduleId] === 'object' && runs[scheduleId] ? runs[scheduleId] : {};
-  runs[scheduleId] = { ...existing, lastRun: ts(), lastWorkItemId: workItemId };
+  runs[scheduleId] = { ...existing, lastRun: ts(), lastWorkItemId: workItemId, ...(extra || {}) };
   return runs[scheduleId];
 }
 
@@ -222,6 +223,42 @@ function discoverScheduledWork(config) {
       const lastRun = typeof runEntry === 'string' ? runEntry : (runEntry?.lastRun || null);
       if (!shouldRunNow(sched, lastRun)) continue;
 
+      // Tri-agent harness mode (W-mq07a9gf000jbc2b): a single schedule firing
+      // produces a coordinated Planner → Generator → Evaluator trio rather than
+      // a single work item. Validate config first — on bad config, skip this
+      // tick WITHOUT recording a schedule run so the operator can fix the
+      // config and the next tick will pick it up.
+      if (sched.harness_mode === harness.HARNESS_MODE.TRI_AGENT) {
+        const validation = harness.validateHarnessConfig(sched);
+        if (!validation.valid) {
+          log('warn', `Scheduler: harness config invalid for ${sched.id} — skipping (errors: ${validation.errors.join('; ')})`);
+          continue;
+        }
+        try {
+          // Resolve schedule-time template variables on the title/description
+          // BEFORE handing the schedule to the harness builder so subtask
+          // prompts inherit the same substitutions as regular schedules.
+          const resolvedSched = {
+            ...sched,
+            title: resolveScheduleTemplateVars(sched.title),
+            description: resolveScheduleTemplateVars(sched.description || sched.title),
+            harness_rubric: resolveScheduleTemplateVars(sched.harness_rubric),
+          };
+          const mission = harness.createTriAgentMission(resolvedSched);
+          for (const it of mission.items) work.push(it);
+          // Record the mission's planner id as lastWorkItemId for compatibility
+          // with the existing schedule-runs shape, plus lastMissionId so the
+          // dashboard and consolidation tooling can join across the trio.
+          writeScheduleRunEntry(runs, sched.id, mission.items[0].id, {
+            lastMissionId: mission.missionId,
+            harnessMode: harness.HARNESS_MODE.TRI_AGENT,
+          });
+        } catch (err) {
+          log('warn', `Scheduler: tri-agent mission build failed for ${sched.id}: ${err.message}`);
+        }
+        continue;
+      }
+
       // Substitute schedule-time template vars (e.g. {{date}}) before the work
       // item is written — single-pass playbook rendering can't reach placeholders
       // embedded inside task_description, so they must be resolved up front.

package/engine/shared.js

@@ -3503,6 +3503,9 @@ const FAILURE_CLASS = {
   MANAGED_SPAWN_HEALTHCHECK_FAILED: 'managed-spawn-healthcheck-failed', // P-7a3b1c92: at least one managed-spawn spec was spawned but failed its healthcheck within timeout_s. Engine killed the failing PIDs; siblings stay alive. Dispatch ERROR with the failing spec name + log tail surfaced in the inbox alert.
   INJECTION_FLAGGED: 'injection-flagged', // F5 (W-mpeklod3000we69c): the agent set `securityFlags.injectionAttempt:true` in its completion report after spotting a prompt-injection attempt inside an <UNTRUSTED-INPUT> fence. Engine writes a security inbox note + stamps `_securityFlag` on the WI and treats the dispatch as non-retryable so a human can review the source before the agent re-runs.
   MODEL_UNAVAILABLE: 'model-unavailable', // W-mpg6isvy000xca4d: requested model returned overloaded_error / 503 / service_unavailable. Retriable — engine swaps in the runtime-appropriate fallback model on next spawn (Claude leans on --fallback-model already plumbed; Copilot overrides --model with engine.copilotFallbackModel).
+  WORKSPACE_MANIFEST_REPO: 'workspace-manifest-repo-forbidden', // W-mq07avbk000m5543: dispatch routed an agent to a project/repo not present in its workspace_manifest.allowed_repos. Structural — never retryable until the manifest is widened or a different agent is chosen.
+  WORKSPACE_MANIFEST_TOOL: 'workspace-manifest-tool-forbidden', // W-mq07avbk000m5543: out-of-scope tool call (manifest enforcement at the runtime gate). Non-retryable as-is.
+  WORKSPACE_MANIFEST_URL: 'workspace-manifest-url-forbidden',   // W-mq07avbk000m5543: out-of-scope external URL fetch. Non-retryable as-is.
   UNKNOWN: 'unknown',                     // Unclassified failure
 };
 const ESCALATION_POLICY = {
@@ -3594,6 +3597,243 @@ function pruneDefaultClaudeConfig(config) {
   return changed;
 }
 
+// ── Workspace Manifest (W-mq07avbk000m5543) ──────────────────────────────────
+//
+// Per-agent declarative permission manifest, inspired by OpenAI's AGENTS.md /
+// Workspace Manifest primitive (April 2026). Lives on each agent definition
+// under `workspace_manifest`:
+//
+//   {
+//     allowed_tools:         string[] | null,   // tool-name whitelist; null = no restriction
+//     allowed_repos:         string[] | null,   // canonical PR-scope or owner/repo allow-list; null = no restriction
+//     allowed_external_urls: string[] | null,   // host allow-list (apex or *.subdomain); null = no restriction
+//     memory_scope:          'private' | 'shared' | 'read-only-shared'  // default 'shared'
+//   }
+//
+// Backward compat: any null/missing field is permissive — a config with no
+// manifest behaves exactly as the pre-manifest engine did. Enforcement is
+// performed at three points today:
+//
+//   1. Dispatch time (engine.js spawnAgent): `agentCanUseRepo()` is checked
+//      against the resolved project; mismatch fails with FAILURE_CLASS.WORKSPACE_MANIFEST_REPO.
+//   2. Spawn flags (engine.js spawnAgent): `mergeManifestAllowedTools()` narrows
+//      the runtime adapter's `--allowedTools` flag so the CLI itself enforces it.
+//   3. Documentation/agent context (playbook.js): the manifest is surfaced in the
+//      agent prompt so the agent knows its scope. URL + memory_scope enforcement
+//      remains advisory pending future runtime intercepts.
+
+const MEMORY_SCOPES = ['private', 'shared', 'read-only-shared'];
+
+const WORKSPACE_MANIFEST_DEFAULTS = {
+  allowed_tools: null,
+  allowed_repos: null,
+  allowed_external_urls: null,
+  memory_scope: 'shared',
+};
+
+function _isStringArrayOrNull(value, fieldName, errors) {
+  if (value == null) return;
+  if (!Array.isArray(value)) {
+    errors.push(`workspace_manifest.${fieldName} must be an array of strings (got ${typeof value})`);
+    return;
+  }
+  for (let i = 0; i < value.length; i++) {
+    if (typeof value[i] !== 'string' || value[i].length === 0) {
+      errors.push(`workspace_manifest.${fieldName}[${i}] must be a non-empty string`);
+    }
+  }
+}
+
+/**
+ * Validate a workspace_manifest object. Returns `{ ok, errors }`.
+ * A `null`/`undefined` manifest is valid (it falls through to defaults).
+ */
+function validateWorkspaceManifest(manifest) {
+  const errors = [];
+  if (manifest == null) return { ok: true, errors };
+  if (typeof manifest !== 'object' || Array.isArray(manifest)) {
+    return { ok: false, errors: ['workspace_manifest must be an object'] };
+  }
+  _isStringArrayOrNull(manifest.allowed_tools, 'allowed_tools', errors);
+  _isStringArrayOrNull(manifest.allowed_repos, 'allowed_repos', errors);
+  _isStringArrayOrNull(manifest.allowed_external_urls, 'allowed_external_urls', errors);
+  if (manifest.memory_scope != null && !MEMORY_SCOPES.includes(manifest.memory_scope)) {
+    errors.push(`workspace_manifest.memory_scope must be one of ${MEMORY_SCOPES.join('|')} (got "${manifest.memory_scope}")`);
+  }
+  return { ok: errors.length === 0, errors };
+}
+
+/**
+ * Resolve an agent's effective workspace manifest by merging the per-agent
+ * value (if any) over `WORKSPACE_MANIFEST_DEFAULTS`. Returns a fresh copy on
+ * every call so callers can mutate the result without leaking changes back
+ * into the shared default reference.
+ *
+ * A malformed `agent.workspace_manifest` (non-object) silently falls back to
+ * defaults — the engine logs a warning at config-load time via
+ * `validateWorkspaceManifest`, so a strict reject here would just turn a
+ * documented config error into a runtime crash.
+ */
+function resolveAgentManifest(agent, _config) {
+  const out = { ...WORKSPACE_MANIFEST_DEFAULTS };
+  if (!agent || typeof agent !== 'object') return out;
+  const m = agent.workspace_manifest;
+  if (!m || typeof m !== 'object' || Array.isArray(m)) return out;
+  if (Array.isArray(m.allowed_tools)) out.allowed_tools = m.allowed_tools.slice();
+  if (Array.isArray(m.allowed_repos)) out.allowed_repos = m.allowed_repos.slice();
+  if (Array.isArray(m.allowed_external_urls)) out.allowed_external_urls = m.allowed_external_urls.slice();
+  if (typeof m.memory_scope === 'string' && MEMORY_SCOPES.includes(m.memory_scope)) {
+    out.memory_scope = m.memory_scope;
+  }
+  return out;
+}
+
+function _repoTargetToScopeCandidates(target) {
+  // Accepts a project object or a string identifier. Returns an array of
+  // lowercased canonical/shorthand strings to match against the allow-list.
+  if (!target) return [];
+  if (typeof target === 'string') {
+    const raw = target.trim();
+    if (!raw) return [];
+    const lower = raw.toLowerCase();
+    const candidates = new Set([lower]);
+    // Strip host prefix to surface the bare owner/repo form too.
+    const m = lower.match(/^(github|ado):(.+)$/);
+    if (m) candidates.add(m[2]);
+    return [...candidates];
+  }
+  if (typeof target === 'object') {
+    try {
+      const scope = getProjectPrScope(target);
+      if (scope) {
+        const lower = scope.toLowerCase();
+        const candidates = new Set([lower]);
+        const m = lower.match(/^(github|ado):(.+)$/);
+        if (m) candidates.add(m[2]);
+        return [...candidates];
+      }
+    } catch { /* defensive: malformed project — fall through */ }
+  }
+  return [];
+}
+
+/**
+ * Check whether `agent` (with its workspace_manifest) is allowed to operate
+ * against `repoTarget`. `repoTarget` may be a project object or a string
+ * (canonical `github:owner/repo` / `ado:org/proj/repo` or bare `owner/repo`).
+ *
+ * - `null`/missing manifest or `allowed_repos: null` → permissive (returns true).
+ * - Empty allow-list (`[]`) → denies everything (deliberate lockdown).
+ * - Empty/null target → returns false (cannot scope a target with no identity).
+ * - Comparison is case-insensitive; bare `owner/repo` in the manifest matches
+ *   both the host-prefixed canonical form and the bare form on the target.
+ */
+function agentCanUseRepo(agent, repoTarget) {
+  const manifest = resolveAgentManifest(agent);
+  if (manifest.allowed_repos == null) return true;
+  const candidates = _repoTargetToScopeCandidates(repoTarget);
+  if (candidates.length === 0) return false;
+  const allowed = manifest.allowed_repos.map(r => String(r).trim().toLowerCase()).filter(Boolean);
+  if (allowed.length === 0) return false;
+  // Build the same candidate set for each allow-list entry so bare owner/repo
+  // matches host-prefixed forms and vice versa.
+  for (const entry of allowed) {
+    const entryCandidates = _repoTargetToScopeCandidates(entry);
+    if (entryCandidates.some(e => candidates.includes(e))) return true;
+  }
+  return false;
+}
+
+/**
+ * Check whether `agent` may invoke `toolName`. Case-sensitive comparison —
+ * tool names are canonical (e.g. `Edit`, `Read`, `Bash`).
+ *
+ * Null/missing `allowed_tools` → permissive.
+ * Empty array → denies everything.
+ */
+function agentCanUseTool(agent, toolName) {
+  const manifest = resolveAgentManifest(agent);
+  if (manifest.allowed_tools == null) return true;
+  if (typeof toolName !== 'string' || toolName.length === 0) return false;
+  return manifest.allowed_tools.includes(toolName);
+}
+
+/**
+ * Check whether `agent` may fetch `urlString`. Wildcard entries of the form
+ * `*.example.com` match any subdomain AND the apex (`example.com`). Bare
+ * `example.com` matches only the exact host.
+ *
+ * Null/missing `allowed_external_urls` → permissive.
+ * Empty array → denies everything.
+ * Malformed URL → denied (cannot extract host to compare).
+ */
+function agentCanFetchUrl(agent, urlString) {
+  const manifest = resolveAgentManifest(agent);
+  if (manifest.allowed_external_urls == null) return true;
+  let host = '';
+  try {
+    host = new URL(String(urlString)).hostname.toLowerCase();
+  } catch { return false; }
+  if (!host) return false;
+  if (manifest.allowed_external_urls.length === 0) return false;
+  for (const raw of manifest.allowed_external_urls) {
+    const entry = String(raw).trim().toLowerCase();
+    if (!entry) continue;
+    if (entry.startsWith('*.')) {
+      const suffix = entry.slice(2);
+      if (host === suffix || host.endsWith('.' + suffix)) return true;
+    } else if (host === entry) {
+      return true;
+    }
+  }
+  return false;
+}
+
+/** Return the agent's effective memory scope. Unknown values fall back to 'shared'. */
+function agentMemoryScope(agent) {
+  const manifest = resolveAgentManifest(agent);
+  return MEMORY_SCOPES.includes(manifest.memory_scope) ? manifest.memory_scope : 'shared';
+}
+
+/**
+ * Merge a manifest's `allowed_tools` list into the runtime adapter's existing
+ * `allowedTools` CSV baseline. Returns the merged CSV string the runtime
+ * adapter expects (Claude/Copilot/Codex all accept `--allowedTools <csv>`).
+ *
+ * Semantics:
+ *   - `manifestTools == null` → baseline unchanged (manifest unrestricted).
+ *   - `manifestTools == []` → empty string (deliberate deny-all lockdown).
+ *   - `baseline` empty + `manifestTools` non-empty → manifest becomes the new ceiling.
+ *   - Otherwise → intersection (manifest narrows baseline); order follows manifest.
+ */
+function mergeManifestAllowedTools(baseline, manifestTools) {
+  if (manifestTools == null) return baseline == null ? '' : baseline;
+  if (!Array.isArray(manifestTools)) return baseline == null ? '' : baseline;
+  if (manifestTools.length === 0) return '';
+  const baselineSet = (() => {
+    if (baseline == null || baseline === '') return null; // no baseline = no ceiling
+    const parts = String(baseline).split(',').map(s => s.trim()).filter(Boolean);
+    return new Set(parts);
+  })();
+  if (baselineSet == null) return manifestTools.filter(Boolean).join(',');
+  return manifestTools.filter(t => typeof t === 'string' && baselineSet.has(t)).join(',');
+}
+
+/**
+ * Build a human-readable rejection message describing an out-of-scope tool/repo/url
+ * call against an agent's manifest. Used by the dispatch repo gate (engine.js)
+ * and surfaced into the dispatch failure record + inbox alert.
+ */
+function formatManifestRejection({ agentId, kind, target, allowed } = {}) {
+  const agent = agentId || '<unknown-agent>';
+  const k = kind || 'tool';
+  const t = (typeof target === 'string' ? target : JSON.stringify(target)) || '<unknown>';
+  const allowList = Array.isArray(allowed) && allowed.length > 0
+    ? allowed.join(', ')
+    : '(none)';
+  return `workspace_manifest rejection — agent "${agent}" attempted ${k} "${t}" but its workspace_manifest.allowed_${k}s does not include it. Allowed: ${allowList}.`;
+}
+
 // ── Project Helpers ──────────────────────────────────────────────────────────
 
 function getProjects(config) {
@@ -5926,13 +6166,29 @@ function getPinnedItems() {
 // Generic rate-limit tracker reusable by both ADO and GitHub integrations.
 // Returns an object with recordThrottle, recordSuccess, isThrottled, getState.
 
-function createThrottleTracker({ label, baseBackoffMs = 60000, maxBackoffMs = 32 * 60000 } = {}) {
+function createThrottleTracker({ label, baseBackoffMs = 60000, maxBackoffMs = 32 * 60000, jitterRatio = 0.2 } = {}) {
+  // Clamp jitterRatio to [0, 0.5]. Out-of-range or non-finite inputs warn and clamp.
+  // jitter is dither on the SCHEDULED WAKE only — the deterministic 60s→32min
+  // ladder is unchanged. Server Retry-After remains the FLOOR; jitter extends
+  // upward only (multiplier in [1, 1 + jitterRatio]), never shortens.
+  let _jitterRatio = jitterRatio;
+  if (typeof _jitterRatio !== 'number' || !Number.isFinite(_jitterRatio) || _jitterRatio < 0 || _jitterRatio > 0.5) {
+    const clamped = (typeof _jitterRatio === 'number' && Number.isFinite(_jitterRatio))
+      ? Math.max(0, Math.min(0.5, _jitterRatio))
+      : 0.2;
+    log('warn', `[${label}] createThrottleTracker: invalid jitterRatio ${_jitterRatio}, clamped to ${clamped}`);
+    _jitterRatio = clamped;
+  }
+
   let state = { throttled: false, retryAfter: 0, consecutiveHits: 0, backoffMs: baseBackoffMs };
 
   function recordThrottle(retryAfterMs) {
     state.consecutiveHits++;
     state.backoffMs = Math.min(state.backoffMs * 2, maxBackoffMs);
-    const waitMs = (retryAfterMs > 0) ? retryAfterMs : state.backoffMs;
+    const baseWaitMs = (retryAfterMs > 0) ? retryAfterMs : state.backoffMs;
+    // Apply jitter on top of the base wake. Multiplier is in [1, 1 + jitterRatio]
+    // so the wake is jittered upward only — server Retry-After stays a floor.
+    const waitMs = baseWaitMs * (1 + (Math.random() * _jitterRatio));
     state.throttled = true;
     state.retryAfter = Date.now() + waitMs;
     // Throttle retries are deterministic backoff math — info, not warn.
@@ -6087,6 +6343,17 @@ module.exports = {
   DEFAULT_AGENTS,
   DEFAULT_CLAUDE,
   pruneDefaultClaudeConfig,
+  // Workspace manifest (W-mq07avbk000m5543)
+  MEMORY_SCOPES,
+  WORKSPACE_MANIFEST_DEFAULTS,
+  validateWorkspaceManifest,
+  resolveAgentManifest,
+  agentCanUseRepo,
+  agentCanUseTool,
+  agentCanFetchUrl,
+  agentMemoryScope,
+  mergeManifestAllowedTools,
+  formatManifestRejection,
   getProjects,
   formatUnknownProjectError,
   findProjectByName,

package/engine.js

@@ -1232,6 +1232,37 @@ async function spawnAgent(dispatchItem, config) {
   }
   const metaProjectFields = metaProject && typeof metaProject === 'object' ? metaProject : {};
   const project = projectResolution.project ? { ...projectResolution.project, ...metaProjectFields } : {};
+
+  // ── Workspace manifest repo gate (W-mq07avbk000m5543) ────────────────────
+  // Dispatch-time enforcement of `agents.<id>.workspace_manifest.allowed_repos`.
+  // Built-in agents and any agent without a manifest are permissive (returns
+  // true). Temp agents (temp-*) don't appear in config.agents so they fall
+  // through to permissive as well. Mismatch fails non-retryably because the
+  // structural answer is "widen the manifest or pick a different agent" —
+  // re-spawning the same agent against the same project would deterministically
+  // re-trip the gate.
+  const _manifestAgent = (config.agents && config.agents[agentId]) || null;
+  if (project && project.name && !shared.agentCanUseRepo(_manifestAgent, project)) {
+    const _manifest = shared.resolveAgentManifest(_manifestAgent);
+    const _scope = (() => { try { return shared.getProjectPrScope(project) || project.name; } catch { return project.name; } })();
+    const msg = shared.formatManifestRejection({
+      agentId,
+      kind: 'repo',
+      target: _scope,
+      allowed: _manifest.allowed_repos,
+    });
+    log('warn', `spawnAgent: workspace-manifest repo gate denied ${agentId} → ${_scope} for ${id}`);
+    completeDispatch(
+      id,
+      DISPATCH_RESULT.ERROR,
+      msg.slice(0, 800),
+      'workspace_manifest.allowed_repos blocks this agent from this repo. Widen the manifest or route the work to a different agent.',
+      { failureClass: FAILURE_CLASS.WORKSPACE_MANIFEST_REPO, agentRetryable: false },
+    );
+    cleanupTempAgent(agentId);
+    return null;
+  }
+
   // W-mp73x32w000l143d: decouple agent cwd from worktree placement.
   // resolveSpawnPaths returns:
   //   - read-only types: { cwd: <project dir or MINIONS_DIR>, worktreeRootDir: null }
@@ -2405,7 +2436,10 @@ async function spawnAgent(dispatchItem, config) {
   const args = _buildAgentSpawnFlags(runtime, {
     model: effectiveModel,
     maxTurns: _maxTurnsForType(type, engineConfig),
-    allowedTools: claudeConfig.allowedTools,
+    allowedTools: shared.mergeManifestAllowedTools(
+      claudeConfig.allowedTools,
+      shared.resolveAgentManifest(_manifestAgent).allowed_tools,
+    ),
     effort: requestedEffort,
     sessionId: cachedSessionId,
     maxBudget: resolvedMaxBudget,
@@ -2775,7 +2809,10 @@ async function spawnAgent(dispatchItem, config) {
       const resumeArgs = _buildAgentSpawnFlags(runtime, {
         model: effectiveModel,
         maxTurns: engineConfig?.maxTurns || ENGINE_DEFAULTS.maxTurns,
-        allowedTools: claudeConfig?.allowedTools,
+        allowedTools: shared.mergeManifestAllowedTools(
+          claudeConfig?.allowedTools,
+          shared.resolveAgentManifest(_manifestAgent).allowed_tools,
+        ),
         sessionId: steerSessionId,
         maxBudget: resolvedMaxBudget,
         bare: resolvedBare,
@@ -3944,7 +3981,7 @@ function reconcileItemsWithPrs(items, allPrs, { onlyIds } = {}) {
 // ─── Inbox Consolidation (extracted to engine/consolidation.js) ──────────────
 
 const { consolidateInbox } = require('./engine/consolidation');
-const { pollPrStatus, pollPrHumanComments, reconcilePrs, checkLiveReviewStatus: adoCheckLiveReview, checkLiveBuildAndConflict: adoCheckLiveBuildAndConflict, needsAdoPollRetry, getAdoToken, isAdoThrottled } = require('./engine/ado');
+const { pollPrStatus, pollPrHumanComments, reconcilePrs, checkLiveReviewStatus: adoCheckLiveReview, checkLiveBuildAndConflict: adoCheckLiveBuildAndConflict, needsAdoPollRetry, getAdoToken, isAdoThrottled, getAdoThrottleStateAll } = require('./engine/ado');
 const { pollPrStatus: ghPollPrStatus, pollPrHumanComments: ghPollPrHumanComments, reconcilePrs: ghReconcilePrs, checkLiveReviewStatus: ghCheckLiveReview, checkLiveBuildAndConflict: ghCheckLiveBuildAndConflict, isGhThrottled } = require('./engine/github');
 
 // ─── State Snapshot ─────────────────────────────────────────────────────────
@@ -6878,12 +6915,35 @@ async function discoverWork(config) {
         mutateJsonFileLocked(centralPath, (items) => {
           if (!Array.isArray(items)) items = [];
           let added = 0;
+          // Snapshot active dedup keys BEFORE the loop so multiple items in the
+          // same harness mission (same _missionId) all land in one tick. Without
+          // this snapshot, the first item's push would block subsequent items
+          // in the same mission from joining (W-mq07a9gf000jbc2b — tri-agent
+          // harness mode requires Planner+Generator+Evaluator to land together).
+          const activeMissionIds = new Set();
+          const activeScheduleIds = new Set();
+          for (const existing of items) {
+            if (existing.status === WI_STATUS.DONE || existing.status === WI_STATUS.FAILED) continue;
+            if (existing._missionId) activeMissionIds.add(existing._missionId);
+            if (existing._scheduleId) activeScheduleIds.add(existing._scheduleId);
+          }
+          const addedScheduleIdsThisTick = new Set();
           for (const item of taskItems) {
-            if (!items.some(i => i._scheduleId === item._scheduleId && i.status !== WI_STATUS.DONE && i.status !== WI_STATUS.FAILED)) {
-              items.push(item);
-              added++;
-              log('info', `Scheduled task fired: ${item._scheduleId} → ${item.title}`);
+            // Mission items dedup by _missionId against pre-existing rows only
+            // (the trio's other items added later in this loop must not block
+            // each other). Plain scheduled items keep the original scheduleId
+            // dedup AND skip if a sibling item from the same tick already
+            // claimed the schedule slot.
+            if (item._missionId) {
+              if (activeMissionIds.has(item._missionId)) continue;
+            } else {
+              if (activeScheduleIds.has(item._scheduleId)) continue;
+              if (addedScheduleIdsThisTick.has(item._scheduleId)) continue;
             }
+            items.push(item);
+            if (!item._missionId && item._scheduleId) addedScheduleIdsThisTick.add(item._scheduleId);
+            added++;
+            log('info', `Scheduled task fired: ${item._scheduleId} → ${item.title}`);
           }
           return items;
         }, { defaultValue: [] });
@@ -7349,10 +7409,18 @@ async function tickInner() {
     lastPrStatusPollAt = now;
     // Build promise array — enabled+unthrottled polls run concurrently via Promise.allSettled
     const statusPolls = [];
-    if (adoPollEnabled && !isAdoThrottled()) {
-      statusPolls.push(pollPrStatus(config).catch(err => { log('warn', `ADO PR status poll error: ${err?.message || err}${err?.stack ? ' | ' + err.stack.split('\n')[1]?.trim() : ''}`); }));
-    } else if (adoPollEnabled && isAdoThrottled()) {
-      log('info', '[ado] PR status poll skipped — throttled');
+    if (adoPollEnabled) {
+      // Per-org throttle skip happens inside forEachActivePr (one log line per skipped project).
+      // Top-level short-circuit: when every known ADO org is throttled, skip the whole phase
+      // with one log line to avoid the per-project iteration cost.
+      const adoThrottleStates = getAdoThrottleStateAll() || {};
+      const adoOrgCount = Object.keys(adoThrottleStates).length;
+      const allAdoThrottled = adoOrgCount > 0 && Object.values(adoThrottleStates).every(s => s && s.throttled);
+      if (allAdoThrottled) {
+        log('info', `[ado] PR status poll skipped — all ${adoOrgCount} known orgs throttled`);
+      } else {
+        statusPolls.push(pollPrStatus(config).catch(err => { log('warn', `ADO PR status poll error: ${err?.message || err}${err?.stack ? ' | ' + err.stack.split('\n')[1]?.trim() : ''}`); }));
+      }
     }
     if (ghPollEnabled && !isGhThrottled()) {
       statusPolls.push(ghPollPrStatus(config).catch(err => { log('warn', `GitHub PR status poll error: ${err?.message || err}${err?.stack ? ' | ' + err.stack.split('\n')[1]?.trim() : ''}`); }));
@@ -7395,10 +7463,18 @@ async function tickInner() {
     lastPrCommentsPollAt = now;
     // Build promise array — enabled+unthrottled comment polls run concurrently via Promise.allSettled
     const commentPolls = [];
-    if (adoPollEnabled && !isAdoThrottled()) {
-      commentPolls.push(pollPrHumanComments(config).catch(err => { log('warn', `ADO PR comment poll error: ${err?.message || err}${err?.stack ? ' | ' + err.stack.split('\n')[1]?.trim() : ''}`); }));
-    } else if (adoPollEnabled && isAdoThrottled()) {
-      log('info', '[ado] PR comment poll skipped — throttled');
+    if (adoPollEnabled) {
+      // Per-org throttle skip happens inside forEachActivePr (one log line per skipped project).
+      // Top-level short-circuit: when every known ADO org is throttled, skip the whole phase
+      // with one log line to avoid the per-project iteration cost.
+      const adoThrottleStates = getAdoThrottleStateAll() || {};
+      const adoOrgCount = Object.keys(adoThrottleStates).length;
+      const allAdoThrottled = adoOrgCount > 0 && Object.values(adoThrottleStates).every(s => s && s.throttled);
+      if (allAdoThrottled) {
+        log('info', `[ado] PR comment poll skipped — all ${adoOrgCount} known orgs throttled`);
+      } else {
+        commentPolls.push(pollPrHumanComments(config).catch(err => { log('warn', `ADO PR comment poll error: ${err?.message || err}${err?.stack ? ' | ' + err.stack.split('\n')[1]?.trim() : ''}`); }));
+      }
     }
     if (ghPollEnabled && !isGhThrottled()) {
       commentPolls.push(ghPollPrHumanComments(config).catch(err => { log('warn', `GitHub PR comment poll error: ${err?.message || err}${err?.stack ? ' | ' + err.stack.split('\n')[1]?.trim() : ''}`); }));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@yemi33/minions",
-  "version": "0.1.2122",
+  "version": "0.1.2124",
   "description": "Multi-agent AI dev team that runs from ~/.minions/ — five autonomous agents share a single engine, dashboard, and knowledge base",
   "bin": {
     "minions": "bin/minions.js"