@yemi33/minions 0.1.2219 → 0.1.2221

package/dashboard/js/settings.js

@@ -379,6 +379,7 @@ async function openSettings() {
       settingsField('Worktree Root', 'set-worktreeRoot', e.worktreeRoot || '../worktrees', '', 'Relative or absolute path for git worktrees; on Windows prefer a short path like C:\\wt') +
       settingsField('Assert-Clean Status Probe Timeout', 'set-assertCleanStatusTimeoutMs', e.assertCleanStatusTimeoutMs || 10000, 'ms', 'Timeout for the `git status --porcelain` preflight probe in assertCleanSharedWorktree. Raise this (e.g. 60000) on GVFS/Plastic-backed monorepos where sparse hydration runs longer than the 10s default. On timeout the engine quarantines the bad worktree and emits a RETRYABLE failure so the next dispatch starts fresh. Clamped 1000–120000ms.') +
       settingsField('Orphan-holder scan timeout', 'set-orphanHolderScanTimeoutMs', e.orphanHolderScanTimeoutMs || 5000, 'ms', 'Cap on the cross-platform scan (PowerShell / /proc walk / lsof) that identifies the OS process holding a stuck worktree\'s cwd. Bumps up only matter on heavily-loaded hosts where the holder scan races the sweep tick. Clamped 1000–30000ms.') +
+      settingsField('Worktree-holder reap probe timeout', 'set-statusProbeKillTimeoutMs', e.statusProbeKillTimeoutMs || 12000, 'ms', 'Windows-only. Timeout for the pre-quarantine worktree-holder reap probe (legacy git.exe-cmdline sweep + PEB-CWD scan that kills an orphaned agent process tree whose CWD pins the worktree dir, causing EBUSY on rename AND `git worktree remove --force`). The old hardcoded 2000ms was the proximate cause of the reaper being a no-op under concurrent-agent load (PowerShell cold-start + process enumeration exceeded 2s → ETIMEDOUT → reaped nothing). ETIMEDOUT is always swallowed (reap nothing; quarantine still proceeds), so raising this only widens the success window. Clamped 2000–60000ms.') +
     '</div>';
 
   const paneCopilot =
@@ -998,6 +999,7 @@ async function saveSettings() {
       ccUseWorkerPool: !!document.getElementById('set-ccUseWorkerPool')?.checked,
       autoReapOrphanWorktreeHolders: !!document.getElementById('set-autoReapOrphanWorktreeHolders')?.checked,
       orphanHolderScanTimeoutMs: document.getElementById('set-orphanHolderScanTimeoutMs')?.value,
+      statusProbeKillTimeoutMs: document.getElementById('set-statusProbeKillTimeoutMs')?.value,
       adoPollEnabled: document.getElementById('set-adoPollEnabled').checked,
       ghPollEnabled: document.getElementById('set-ghPollEnabled').checked,
       pollingPaused: document.getElementById('set-pollingPaused').checked,

package/dashboard/slim/styles.css

@@ -186,7 +186,11 @@
     .layout {
       display: grid;
       grid-template-columns: minmax(0, 820px) minmax(0, 575px);
-      grid-template-rows: 1fr 1fr;
+      /* Status row is content-sized (`auto`) so the right-side control panel
+         (Watches + Knowledge) grows to fit and never scrolls internally — no
+         fixed/max height. History takes the remaining space and scrolls within
+         its own region. (W-mqgx8qkv0007218d) */
+      grid-template-rows: auto minmax(0, 1fr);
       grid-template-areas:
         "actions status"
         "actions history";
@@ -1100,6 +1104,10 @@
 
     /* ── Status panel sub-divisions: Team cards over System tiles,
        separated by a divider line (no text headers). ──── */
+    /* The Status panel is the right-side control panel. Its body never scrolls
+       internally — the panel grows to fit Team cards + Watches/Knowledge tiles
+       (the status grid row is `auto`-sized). (W-mqgx8qkv0007218d) */
+    .panel-status .panel-body { overflow: visible; }
     .team-section { margin-bottom: 14px; }
     .cockpit-section { padding-top: 14px; border-top: 1px solid var(--border); }
 

package/dashboard.js

@@ -10437,6 +10437,12 @@ What would you like to discuss or change? When you're happy, say "approve" and I
           // 30s ceiling (the scan runs once per orphan-sweep tick and a slow
           // scan must not block the rest of the sweep for minutes).
           orphanHolderScanTimeoutMs: [1000, 30000],
+          // W-mqila0t5 — Windows worktree-holder reap probe timeout. 2s floor
+          // (PowerShell cold-start + PEB enumeration needs headroom; the old
+          // 2000ms hardcode was the no-op bug); 60s ceiling (the reap runs once
+          // on the quarantine path and ETIMEDOUT is swallowed, so a long probe
+          // never wedges dispatch — it just falls through to force-remove).
+          statusProbeKillTimeoutMs: [2000, 60000],
           idleAlertMinutes: [1], shutdownTimeout: [30000], restartGracePeriod: [60000],
           meetingRoundTimeout: [60000],
           // W-mq066js7000fff1f-c (Gap B/C): steering safety-net knobs.

package/docs/auto-discovery.md

@@ -19,7 +19,7 @@ tick()
   2.5 runCleanup()               Periodic cleanup (every 60 ticks ≈ 10min)
   2.52 sweepKeepProcesses()      keep_processes TTL/dead-PID sweep (every 180 ticks)
   2.53 sweepManagedSpawn()       managed_spawn TTL/dead-PID/log-rotate sweep (every 180 ticks)
-  2.54 pruneWorktreesPeriodic()  Periodic worktree GC: in-root + out-of-root git registry sweep (every worktreePruneIntervalTicks ≈ 30 ticks; catches Windows EPERM/EBUSY stragglers and `git worktree list` entries outside worktreeRoot)
+  2.54 pruneWorktreesPeriodic()  Periodic worktree GC: in-root + out-of-root git registry sweep + locked-`initializing` missing-dir reclaim (every worktreePruneIntervalTicks ≈ 30 ticks; catches Windows EPERM/EBUSY stragglers, `git worktree list` entries outside worktreeRoot, and branch-bricking locked missing-dir entries plain prune can't reap)
   2.55 checkWatches()            Persistent watch jobs (every 18 tick-equivalents)
   2.6 pollPrStatus()             Poll ADO + GitHub for build, review, merge status (wall-clock cadence from prPollStatusEvery × tickInterval, default ≈ 12min)
        processPendingRebases()   Run any rebase work queued from the previous tick

package/docs/worktree-lifecycle.md

@@ -160,6 +160,123 @@ trailing `git worktree prune --expire=now` (drops registry entries whose
 dirs are already gone) still runs regardless of ownership. The marker is
 gitignored so it never shows up in any worktree's `git status`.
 
+### Locked-`initializing` missing-dir reclaim (W-mqifblkf00149df5)
+
+A third pruner, `worktree-gc.js#reclaimMissingDirWorktrees`, closes a
+branch-bricking gap the two scanners above are blind to. An interrupted
+`git worktree add` (engine crash / kill during git's `initializing` lock
+phase) leaves a `.git/worktrees/<id>/` ADMIN entry behind — often carrying
+a `locked` file, reason `initializing` — whose backing working directory
+never materialized. The entry still claims the branch, so every later
+`git worktree add <branch>` fails with
+`'<branch>' is already used by worktree at '<path>'`. Because the entry is
+LOCKED, **plain `git worktree prune` skips it by design** (so does the
+out-of-root sweep's `prune --expire=now`), and the in-root scanner walks
+the filesystem where the dir is already gone — neither can reap it. The
+branch stays bricked for all future dispatches until a human runs
+`git worktree unlock` + `git worktree remove -f -f`.
+
+`reclaimMissingDirWorktrees` runs per project on the
+`pruneWorktreesPeriodic` cadence (via `cleanup.js#runPeriodicWorktreeSweep`).
+For each `git worktree list --porcelain` entry it reclaims with
+`git worktree remove -f -f <path>` (the **double force** is required — a
+single `-f` errors `cannot remove a locked working tree`) followed by
+`git worktree prune`, but ONLY for the genuinely-safe case:
+
+1. backing `path` does NOT exist on disk (`!fs.existsSync`) — a present
+   dir may hold unpushed work and is **never** force-removed by this sweep;
+2. no non-terminal dispatch still claims that exact path
+   (`shared.isWorktreePathLive`, fail-open: skip/leak rather than nuke); and
+3. it is not the main checkout (`path === project root`).
+
+The same `remove -f -f` reaper (`engine.js#pruneStaleWorktreeForBranch`) is
+also wired into **both** spawn-time worktree-creation recovery paths —
+`_branchOnRemote === true` AND the fresh-create `else` branch — so a
+dispatch that hits the stale entry at `git worktree add` time recovers
+in-line instead of erroring out.
+
+### Dir-PRESENT CWD-pinned quarantine reap (W-mqila0t5)
+
+The sibling failure mode to the missing-dir case above: the backing dir is
+fully PRESENT (a real checkout), but the dirty-reused-worktree quarantine in
+`engine.js#_quarantineDirtyWorktree` cannot move it aside. The rename returns
+`EBUSY`, and the `git worktree remove --force` fallback ALSO returns `EBUSY`,
+so the dispatch ends `WORKTREE_QUARANTINE_ENV_BLOCKED` and the WI
+auto-recovery loop re-queues into the identical wall.
+
+**Root cause.** The lock holder is *not* a file handle and *not* (only) a
+`git.exe` — it is an ORPHANED AGENT PROCESS TREE left by the prior failed
+dispatch: a `copilot.exe` (the agent CLI) plus its `cmd.exe` / `node.exe` /
+`powershell.exe` children, all still alive with their CURRENT WORKING
+DIRECTORY set to the worktree root. On Windows a live process CWD pins the
+directory, so rename / rmdir / `git worktree remove --force` all return
+`EBUSY` / `ERROR_SHARING_VIOLATION` until those processes die. Two diagnostic
+traps:
+
+- The Windows **Restart Manager (rstrtmgr.dll) returns ZERO lockers** — it is
+  file-handle based, but the lock here is a DIRECTORY handle (CWD). Any
+  file-handle detector false-negatives.
+- A **CommandLine match misses it** — `Win32_Process` does not expose CWD, and
+  the CWD-pinning child's argv never mentions the worktree path.
+
+**The reap (`engine.js#_reapWorktreeHolders`, called before the rename).**
+Windows-only; three layers, each fail-open:
+
+- **Layer 0** — legacy `git.exe`-by-cmdline sweep
+  (`_killGitDescendantsForWorktree`).
+- **Layer 1 — ownership reap (preferred, precise).** For each TERMINAL
+  dispatch that owned this worktree path (discovered via
+  `_findTerminalWorktreeOwners`, which reads the dispatch store's non-live
+  sections), look up its recorded root PID from the PID file
+  (`shared.findDispatchPidFile`) and kill that PID plus its full descendant
+  tree (`shared.listProcessDescendants` → `shared.killImmediate`). Because it
+  only ever kills a tree the engine itself spawned for THIS path, it can never
+  touch a live sibling.
+- **Layer 2 — CWD-scan reap (fallback for orphans the map / PID files no
+  longer track, e.g. after an engine restart).** `shared.findProcessCwdHolders`
+  reads each process's REAL working directory out of its PEB
+  (`NtQueryInformationProcess` → `PebBaseAddress`, then `ReadProcessMemory` of
+  `RTL_USER_PROCESS_PARAMETERS.CurrentDirectory.DosPath`) and returns only
+  processes whose CWD is at/under THIS worktree; each is killed. A live sibling
+  agent running in its OWN worktree has a CWD under a DIFFERENT path and is
+  never reaped.
+
+**Mandatory gates (every reap):**
+
+1. POSIX is a no-op (the `EBUSY` race is Windows-specific).
+2. Master switch `engine.statusProbeKillDescendantsWin32` (default ON).
+3. `shared.isWorktreePathLive(path, { excludeDispatchId })` must be false —
+   fail-open: on a live claim OR on a SQL error / throw the WHOLE reap is
+   SKIPPED (leak a worktree rather than nuke a live agent's unpushed work).
+   This check is **re-run at kill time** before Layer 2 (W-mqinlicl): the PEB
+   probe can take several seconds, and liveness flips on the engine tick — a
+   "not live" snapshot from the top of the function is unsafe to kill on.
+   Verified live: a path flagged orphan-pinned during recon was reused by a
+   fresh dispatch ~2 min later; the kill-time re-check (fail-open) skips the
+   Layer 2 kills once the path goes live, so a newly-live agent is never nuked.
+4. Only CWDs at/under THIS worktreePath are ever reaped.
+
+**Two call sites (W-mqinlicl §6).** `_reapWorktreeHolders` runs both BEFORE the
+quarantine rename (`_quarantineDirtyWorktree`) AND at **dispatch-end GC**
+(`worktree-gc.js#gcDispatchWorktreeIfOrphan`, via the injected `reapHolders`
+hook) right before `shared.removeWorktree`. The dispatch-end call passes the
+ending dispatch's id as `ownerDispatchId` (terminal-owner discovery misses it —
+the owner is still `active`) plus `excludeDispatchId`, so a dispatch always
+reaps the orphaned descendant tree it spawned before releasing its worktree.
+This closes the matching `removeWorktree` `EPERM`/`ETIMEDOUT` removal failures
+at the same root cause as the quarantine `EBUSY`. The reap is best-effort: a
+throw never blocks the removal that follows.
+
+**Probe timeout.** `engine.statusProbeKillTimeoutMs` (default 12000ms, clamped
+2000–60000; Settings → Worker Pool & Worktrees → "Worktree-holder reap probe
+timeout"). The old hardcoded 2000ms was the proximate cause of the reaper
+being a no-op exactly under concurrent-agent load: a PowerShell cold-start +
+process / PEB enumeration over a busy box routinely exceeded 2s, so the probe
+died with `cmd.exe ETIMEDOUT` and reaped nothing. ETIMEDOUT and any other
+throw from a probe are always swallowed (reap nothing), so the quarantine
+still proceeds to its rename / force-remove fallback — raising the timeout
+only widens the window in which the reap can succeed.
+
 ## Holder identification + opt-in auto-reap (W-mq6f2fe0000557fa)
 
 Orphan-sweep escalations also run `shared.findProcessesWithCwdInside(wt)`

package/engine/cleanup.js

@@ -1568,6 +1568,11 @@ function scrubStaleMetrics() {
  *   - `pruneOrphanWorktreesFromGitRegistry`: walks `git worktree list` per
  *     project and reaps registered worktrees outside the configured
  *     `worktreeRoot` (covers `D:/tmp-*`, `D:/squad-worktrees/*`, etc.).
+ *   - `reclaimMissingDirWorktrees` (W-mqifblkf00149df5): walks
+ *     `git worktree list` per project and force-removes (`remove -f -f`) the
+ *     LOCKED-`initializing` entries whose backing dir is MISSING — the
+ *     branch-bricking case plain `prune` can't touch. Gated by missing-dir +
+ *     `isWorktreePathLive`.
  *
  * Both pruners share the SAME `dispatchSnap` from `queries.getDispatch()`
  * so live work isn't yanked between scans. Returns aggregate stats for
@@ -1577,13 +1582,14 @@ function runPeriodicWorktreeSweep(config) {
   const worktreeGc = require('./worktree-gc');
   const projects = getProjects(config);
   if (projects.length === 0) {
-    return { scanned: 0, kept: 0, evicted: 0, failed: 0, outOfRootEvicted: 0, prunedRegistry: 0 };
+    return { scanned: 0, kept: 0, evicted: 0, failed: 0, outOfRootEvicted: 0, prunedRegistry: 0, missingDirReclaimed: 0, missingDirSkippedLive: 0 };
   }
   const dispatchSnap = getDispatch();
   const worktreeRootRel = config?.engine?.worktreeRoot || ENGINE_DEFAULTS.worktreeRoot;
   const _log = (lvl, msg) => log(lvl, msg);
 
   let scanned = 0, kept = 0, evicted = 0, failed = 0, outOfRootEvicted = 0, prunedRegistry = 0;
+  let missingDirReclaimed = 0, missingDirSkippedLive = 0;
   const _writeToInbox = (a, s, c) => { try { return shared.writeToInbox(a, s, c); } catch (_e) { return false; } };
   try {
     const r1 = worktreeGc.pruneOrphanWorktrees({
@@ -1606,7 +1612,22 @@ function runPeriodicWorktreeSweep(config) {
     prunedRegistry += r2.prunedRegistry || 0;
   } catch (e) { log('warn', `worktree-gc periodic out-of-root: ${e.message}`); }
 
-  return { scanned, kept, evicted, failed, outOfRootEvicted, prunedRegistry };
+  // W-mqifblkf00149df5 — reclaim locked-`initializing` worktree entries whose
+  // backing dir is MISSING. Neither pruner above touches these: the in-root
+  // scanner walks the filesystem (the dir is gone, so it's invisible) and the
+  // out-of-root scanner deliberately skips dirs inside worktreeRoot and only
+  // runs a plain `prune` that SKIPS locked entries. Without this, an
+  // interrupted `git worktree add` bricks the branch until a human intervenes.
+  try {
+    const r3 = worktreeGc.reclaimMissingDirWorktrees({
+      projects, log: _log, config,
+    });
+    missingDirReclaimed += r3.reclaimed || 0;
+    missingDirSkippedLive += r3.skippedLive || 0;
+    failed += r3.failed || 0;
+  } catch (e) { log('warn', `worktree-gc periodic missing-dir reclaim: ${e.message}`); }
+
+  return { scanned, kept, evicted, failed, outOfRootEvicted, prunedRegistry, missingDirReclaimed, missingDirSkippedLive };
 }
 
 // ─── Exports ─────────────────────────────────────────────────────────────────

package/engine/shared.js

@@ -2705,6 +2705,18 @@ const ENGINE_DEFAULTS = {
   // incidents are closed by (1b) alone — but both are cheap and idempotent.
   statusProbeUseNoOptionalLocks: true,
   statusProbeKillDescendantsWin32: true,
+  // W-mqila0t5 — generous timeout (ms) for the Windows worktree-holder reap
+  // probe used before/under quarantine. The old hardcoded 2000ms was the
+  // proximate cause of the reaper being a no-op exactly under concurrent-agent
+  // load: a PowerShell cold-start + Win32_Process / PEB-CWD enumeration over a
+  // busy box routinely exceeds 2s, so the probe died with cmd.exe ETIMEDOUT and
+  // reaped nothing — leaving the orphaned, CWD-pinning agent process tree alive
+  // and the worktree dir EBUSY-pinned for rename AND `git worktree remove
+  // --force`. Both the legacy git.exe-cmdline sweep and the new CWD-scan +
+  // ownership reap use this. ETIMEDOUT is always swallowed (reap-nothing), so
+  // raising this only widens the window in which the reap can succeed; it never
+  // blocks the quarantine's rename/force-remove fallback. Clamped 2000–60000ms.
+  statusProbeKillTimeoutMs: 12000,
   completionReportRetentionDays: 90, // retain completion report sidecars beyond capped dispatch history
   completionReportMaxFiles: 5000, // hard cap for completion report sidecars during cleanup
   // P-bfa2c-cors-wildcard: extra Origins permitted to receive an
@@ -7498,6 +7510,120 @@ function _findMacProcessesWithCwdInside(resolved, timeoutMs, now) {
   return out;
 }
 
+// W-mqila0t5 — Windows-only PEB-based CWD probe used by the worktree-holder
+// reaper. Unlike findProcessesWithCwdInside (whose Windows path is a
+// CommandLine-basename heuristic — Win32_Process does NOT expose the working
+// directory), this reads each process's REAL current directory out of its PEB
+// (NtQueryInformationProcess → PebBaseAddress, then ReadProcessMemory of
+// RTL_USER_PROCESS_PARAMETERS.CurrentDirectory.DosPath). That's the only way
+// to find a process that pins a directory via its CWD — e.g. an orphaned
+// copilot.exe / cmd.exe / node.exe agent child whose cwd is the worktree root
+// but whose argv never mentions the path (so the cmdline heuristic
+// false-negatives, and the Restart Manager / file-handle detectors report ZERO
+// lockers because the lock is a DIRECTORY handle, not a file handle).
+//
+// Returns [{ pid, name, cwd }] for processes whose CWD is at-or-under
+// `worktreePath`. POSIX returns [] (the EBUSY race is Windows-specific; POSIX
+// reaping stays a no-op). Fail-open: any error / timeout / spawn failure →
+// [] (reap nothing). x64 offsets only (PebBaseAddress@8, PEB+0x20 →
+// ProcessParameters, RTL_USER_PROCESS_PARAMETERS+0x38 → CurrentDirectory).
+function _windowsCwdProbeScript(psTarget) {
+  return [
+    "$ErrorActionPreference='SilentlyContinue'",
+    `$target = '${psTarget}'.TrimEnd('\\').ToLower()`,
+    'Add-Type -Namespace MinionsPeb -Name Native -MemberDefinition @"',
+    '[DllImport("ntdll.dll")] public static extern int NtQueryInformationProcess(IntPtr h, int cls, byte[] info, int len, ref int ret);',
+    '[DllImport("kernel32.dll")] public static extern IntPtr OpenProcess(int access, bool inherit, int pid);',
+    '[DllImport("kernel32.dll")] public static extern bool CloseHandle(IntPtr h);',
+    '[DllImport("kernel32.dll")] public static extern bool ReadProcessMemory(IntPtr h, IntPtr baseAddr, byte[] buf, int size, ref int read);',
+    '"@',
+    'function Get-ProcCwd($procId) {',
+    '  $h = [MinionsPeb.Native]::OpenProcess(0x410, $false, $procId)',
+    '  if ($h -eq [IntPtr]::Zero) { return $null }',
+    '  try {',
+    '    $pbi = New-Object byte[] 48; $ret = 0',
+    '    if ([MinionsPeb.Native]::NtQueryInformationProcess($h, 0, $pbi, 48, [ref]$ret) -ne 0) { return $null }',
+    '    $pebBase = [System.BitConverter]::ToInt64($pbi, 8)',
+    '    if ($pebBase -eq 0) { return $null }',
+    '    $p8 = New-Object byte[] 8; $r = 0',
+    '    if (-not [MinionsPeb.Native]::ReadProcessMemory($h, [IntPtr]($pebBase + 0x20), $p8, 8, [ref]$r)) { return $null }',
+    '    $params = [System.BitConverter]::ToInt64($p8, 0)',
+    '    if ($params -eq 0) { return $null }',
+    '    $us = New-Object byte[] 16',
+    '    if (-not [MinionsPeb.Native]::ReadProcessMemory($h, [IntPtr]($params + 0x38), $us, 16, [ref]$r)) { return $null }',
+    '    $len = [System.BitConverter]::ToUInt16($us, 0)',
+    '    $bufPtr = [System.BitConverter]::ToInt64($us, 8)',
+    '    if ($len -le 0 -or $bufPtr -eq 0) { return $null }',
+    '    $sb = New-Object byte[] $len',
+    '    if (-not [MinionsPeb.Native]::ReadProcessMemory($h, [IntPtr]$bufPtr, $sb, $len, [ref]$r)) { return $null }',
+    '    return [System.Text.Encoding]::Unicode.GetString($sb, 0, $len)',
+    '  } finally { [void][MinionsPeb.Native]::CloseHandle($h) }',
+    '}',
+    'foreach ($p in Get-Process) {',
+    '  $cwd = Get-ProcCwd $p.Id',
+    '  if (-not $cwd) { continue }',
+    "  $c = $cwd.TrimEnd('\\').ToLower()",
+    "  if ($c -eq $target -or $c.StartsWith($target + '\\')) {",
+    '    Write-Output ("{0}|{1}|{2}" -f $p.Id, $p.ProcessName, $cwd)',
+    '  }',
+    '}',
+  ].join('\n');
+}
+
+function _parseCwdHolderLines(raw, resolved) {
+  if (!raw || !String(raw).trim()) return [];
+  const prefix = (resolved.replace(/[\\/]+$/g, '') + path.sep).toLowerCase();
+  const target = resolved.replace(/[\\/]+$/g, '').toLowerCase();
+  const out = [];
+  for (const line of String(raw).split(/\r?\n/)) {
+    const t = line.trim();
+    if (!t) continue;
+    const parts = t.split('|');
+    if (parts.length < 3) continue;
+    const pid = Number(parts[0]);
+    if (!Number.isInteger(pid) || pid <= 0) continue;
+    const name = parts[1] || '';
+    const cwd = parts.slice(2).join('|');
+    // Defense-in-depth: re-confirm the cwd is at/under THIS worktree so a
+    // sibling worktree's live agent is never reaped (the script filters too).
+    const cwdLower = cwd.replace(/[\\/]+$/g, '').toLowerCase();
+    if (cwdLower !== target && !cwdLower.startsWith(prefix)) continue;
+    out.push({ pid, name, cwd });
+  }
+  return out;
+}
+
+function findProcessCwdHolders(worktreePath, opts = {}) {
+  if (process.platform !== 'win32') return [];
+  if (!worktreePath || typeof worktreePath !== 'string') return [];
+  let resolved;
+  try { resolved = path.resolve(worktreePath); } catch { return []; }
+  if (!resolved) return [];
+  const timeoutMs = Number(opts.timeoutMs) > 0
+    ? Number(opts.timeoutMs)
+    : (ENGINE_DEFAULTS.statusProbeKillTimeoutMs || 12000);
+  const psTarget = resolved.replace(/'/g, "''");
+  const script = _windowsCwdProbeScript(psTarget);
+  // Run from a temp .ps1 file to avoid fragile inline-quote escaping of the
+  // embedded C#. Fail-open at every step.
+  let scriptPath = null;
+  let raw;
+  try {
+    const dir = _dispatchTmpRoot();
+    try { fs.mkdirSync(dir, { recursive: true }); } catch { /* exists */ }
+    scriptPath = path.join(dir, `cwd-probe-${process.pid}-${Date.now()}.ps1`);
+    fs.writeFileSync(scriptPath, script, 'utf8');
+    raw = _execSync(
+      `powershell -NoProfile -NonInteractive -ExecutionPolicy Bypass -File "${scriptPath}"`,
+      { encoding: 'utf8', stdio: ['ignore', 'pipe', 'ignore'], timeout: timeoutMs, windowsHide: true, maxBuffer: 4 * 1024 * 1024 }
+    );
+  } catch { raw = ''; /* ETIMEDOUT / spawn fail / write fail → reap nothing */ }
+  finally {
+    if (scriptPath) { try { fs.unlinkSync(scriptPath); } catch { /* best-effort */ } }
+  }
+  return _parseCwdHolderLines(raw, resolved);
+}
+
 // W-mq6f2fe0000557fa — clear the per-path failure cooldown entry so the
 // post-holder-reap retry can attempt removeWorktree even though the path
 // has already failed >= 3 times. Without this, the cooldown silently
@@ -8711,6 +8837,7 @@ module.exports = {
   isProcessCommandLineMatchingAgent,
   listAllProcesses,
   findProcessesWithCwdInside,
+  findProcessCwdHolders,
   clearWorktreeFailureCache,
   listProcessDescendants,
   listProcessReachable,

package/engine/worktree-gc.js

@@ -477,6 +477,15 @@ function gcDispatchWorktreeIfOrphan(opts) {
     excludeDispatchId = null,
     config = null,
     writeToInbox = null,
+    // W-mqinlicl §6 — optional pre-remove holder reaper. The dispatch-end
+    // caller (engine.js) injects `_reapWorktreeHolders` so that before we try
+    // to remove this worktree we kill the ending dispatch's own orphaned
+    // descendant tree (copilot/node/cmd children whose CWD pins the dir). This
+    // closes the same EBUSY/EPERM/ETIMEDOUT removal failures the quarantine
+    // path's reap closes — a dispatch should always reap the tree it spawned
+    // before releasing its worktree. Windows-only + isWorktreePathLive-gated
+    // inside the reaper; a no-op everywhere else. Best-effort: never blocks GC.
+    reapHolders = null,
   } = opts || {};
   const decision = shouldGcDispatchWorktree(opts);
   if (!decision.gc) {
@@ -488,6 +497,18 @@ function gcDispatchWorktreeIfOrphan(opts) {
   const _removeFn = typeof removeWorktree === 'function' ? removeWorktree : shared.removeWorktree;
   const _rmOpts = excludeDispatchId ? { excludeDispatchId } : undefined;
   const resolved = (() => { try { return path.resolve(worktreePath); } catch { return worktreePath; } })();
+  // W-mqinlicl §6 — reap the ending dispatch's own orphaned descendant tree
+  // BEFORE attempting removal. The owning dispatch is still 'active' at this
+  // point, so it is passed as `ownerDispatchId` (terminal-owner discovery would
+  // miss it) and as `excludeDispatchId` so the reaper's live-guard ignores this
+  // dispatch's own row. Failure here must never block the removal that follows.
+  if (typeof reapHolders === 'function') {
+    try {
+      reapHolders(worktreePath, { excludeDispatchId, ownerDispatchId: excludeDispatchId });
+    } catch (reapErr) {
+      log('warn', `worktree-gc: pre-remove reap threw for ${worktreePath}: ${reapErr && reapErr.message}`);
+    }
+  }
   try {
     const removed = _removeFn(worktreePath, gitRoot, worktreeRoot, _rmOpts);
     if (removed) {
@@ -971,11 +992,151 @@ function pruneOrphanWorktreesFromGitRegistry(opts) {
   return result;
 }
 
+/**
+ * Missing-dir reclaim sweep (W-mqifblkf00149df5): repo-wide, branch-agnostic
+ * reaper for worktree ADMIN entries whose backing working directory is MISSING
+ * on disk. An interrupted `git worktree add` (engine crash / kill during git's
+ * `initializing` lock phase) leaves a `.git/worktrees/<id>/` registration
+ * behind — often with a `locked` file, reason `initializing` — whose working
+ * dir never materialized. Because the entry is LOCKED, `git worktree prune`
+ * (and `pruneOrphanWorktreesFromGitRegistry`'s `prune --expire=now`) SKIP it
+ * by design, so it survives forever and BRICKS the branch it claims: every
+ * later `git worktree add <branch>` fails with
+ * `'<branch>' is already used by worktree at '<path>'`. Recovery used to need
+ * a human running `git worktree unlock` + `git worktree remove -f -f`.
+ *
+ * This sweep reclaims ONLY the genuinely-safe case, for each project repo:
+ *   1. backing `path` does NOT exist on disk (`!fs.existsSync`) — a present
+ *      dir may hold unpushed work and is OUT OF SCOPE (never force-removed
+ *      here), AND
+ *   2. no non-terminal dispatch still claims that exact path
+ *      (`shared.isWorktreePathLive` — fail-open: leak/skip rather than nuke),
+ *      AND
+ *   3. it is not the main checkout (`path === project root`).
+ * For those entries it runs `git worktree remove -f -f <path>` (the double
+ * force beats `locked: initializing`; plain prune cannot) and, when at least
+ * one entry was reclaimed for a repo, a trailing `git worktree prune`.
+ *
+ * Injection points (all optional — default to the real implementations):
+ *   projects, log, fs, execSilent, parseWorktreePorcelain, isWorktreePathLive,
+ *   db.
+ *
+ * Returns `{ scanned, reclaimed, skippedLive, failed, perProject }` where
+ * `scanned` counts only the missing-dir candidates considered (dirs that still
+ * exist are skipped before scanning).
+ */
+function reclaimMissingDirWorktrees(opts) {
+  opts = opts || {};
+  const projects = Array.isArray(opts.projects) ? opts.projects : [];
+  const log = typeof opts.log === 'function' ? opts.log : _noopLog;
+  const _fs = opts.fs || fs;
+  const _execSilent = typeof opts.execSilent === 'function'
+    ? opts.execSilent
+    : shared.execSilent;
+  const _parseWorktreePorcelain = typeof opts.parseWorktreePorcelain === 'function'
+    ? opts.parseWorktreePorcelain
+    : shared.parseWorktreePorcelain;
+  const _isWorktreePathLive = typeof opts.isWorktreePathLive === 'function'
+    ? opts.isWorktreePathLive
+    : shared.isWorktreePathLive;
+  const _liveOpts = opts.db ? { db: opts.db } : undefined;
+
+  const result = { scanned: 0, reclaimed: 0, skippedLive: 0, failed: 0, perProject: {} };
+  const _seenAbs = new Set(); // dedup across projects sharing a parent repo
+
+  for (const project of projects) {
+    if (!project || !project.localPath) continue;
+    let rootDir;
+    try { rootDir = path.resolve(String(project.localPath)); } catch { continue; }
+    let rootExists = false;
+    try { rootExists = _fs.existsSync(rootDir); } catch { rootExists = false; }
+    if (!rootExists) continue;
+
+    const projStats = { scanned: 0, reclaimed: 0, skippedLive: 0, failed: 0 };
+    let raw = '';
+    try {
+      raw = String(_execSilent('git --no-optional-locks worktree list --porcelain', {
+        cwd: rootDir, timeout: 15000, windowsHide: true,
+      }) || '');
+    } catch (e) {
+      log('warn', `worktree-gc: missing-dir reclaim list failed for ${project.name || rootDir}: ${e.message}`);
+      result.perProject[project.name || rootDir] = projStats;
+      continue;
+    }
+
+    let trees;
+    try { trees = _parseWorktreePorcelain(raw); }
+    catch (e) {
+      log('warn', `worktree-gc: missing-dir reclaim parse failed for ${project.name || rootDir}: ${e.message}`);
+      result.perProject[project.name || rootDir] = projStats;
+      continue;
+    }
+
+    let reclaimedHere = 0;
+    for (const wt of trees) {
+      if (!wt || !wt.path) continue;
+      let wtAbs;
+      try { wtAbs = path.resolve(wt.path); } catch { continue; }
+      if (wtAbs === rootDir) continue; // never the main checkout
+      if (_seenAbs.has(wtAbs)) continue;
+      _seenAbs.add(wtAbs);
+
+      // SAFETY 1 — only reclaim entries whose backing dir is genuinely MISSING.
+      // A present dir may hold unpushed work; force-removing it is out of scope.
+      let dirExists = true;
+      try { dirExists = _fs.existsSync(wtAbs); } catch { dirExists = true; }
+      if (dirExists) continue;
+
+      projStats.scanned++;
+      result.scanned++;
+
+      // SAFETY 2 — never reclaim a path a non-terminal dispatch still claims
+      // (fail-open: isWorktreePathLive returns true when SQL is unreachable).
+      let live = true;
+      try { live = !!_isWorktreePathLive(wt.path, _liveOpts); }
+      catch (_e) { live = true; }
+      if (live) {
+        projStats.skippedLive++; result.skippedLive++;
+        log('debug', `worktree-gc: missing-dir reclaim skipping live-claimed ${wtAbs}`);
+        continue;
+      }
+
+      try {
+        _execSilent(`git worktree remove -f -f "${wtAbs}"`, {
+          cwd: rootDir, timeout: 15000, windowsHide: true,
+        });
+        reclaimedHere++;
+        projStats.reclaimed++; result.reclaimed++;
+        try { shared.bumpWorktreeGcMetric('missingDirReclaimed'); } catch { /* metric optional */ }
+        log('info', `worktree-gc: reclaimed missing-dir worktree ${wtAbs}${wt.locked ? ' (was locked)' : ''}${wt.branch ? ` [branch ${wt.branch}]` : ''}`);
+      } catch (e) {
+        projStats.failed++; result.failed++;
+        log('warn', `worktree-gc: missing-dir reclaim remove -f -f failed for ${wtAbs}: ${(e.message || '').split('\n')[0]}`);
+      }
+    }
+
+    // Only prune when we actually reaped something — keeps the no-stale-entry
+    // path a pure no-op (no extra git spawn).
+    if (reclaimedHere > 0) {
+      try {
+        _execSilent('git worktree prune', { cwd: rootDir, timeout: 10000, windowsHide: true });
+      } catch (e) {
+        log('warn', `worktree-gc: missing-dir reclaim prune failed for ${project.name || rootDir}: ${e.message}`);
+      }
+    }
+
+    result.perProject[project.name || rootDir] = projStats;
+  }
+
+  return result;
+}
+
 module.exports = {
   shouldGcDispatchWorktree,
   gcDispatchWorktreeIfOrphan,
   pruneOrphanWorktrees,
   pruneOrphanWorktreesFromGitRegistry,
+  reclaimMissingDirWorktrees, // W-mqifblkf00149df5 — locked-initializing missing-dir reaper
   // exported for testing (W-mq5o6bvy000x7191)
   _resetStuckPathsForTesting,
   _stuckPaths,

package/engine.js

@@ -1078,15 +1078,25 @@ async function _renameWithRetry(src, dst, opts = {}) {
   throw lastErr;
 }
 
+// W-mqila0t5 — resolve the worktree-holder reap probe timeout, honoring a
+// `config.engine.statusProbeKillTimeoutMs` override (the dashboard Settings
+// control persists there) and falling back to the ENGINE_DEFAULTS default.
+// Fail-safe: any error reading config falls back to the default.
+function _reapProbeTimeoutMs() {
+  try {
+    const v = Number((getConfig() || {}).engine?.statusProbeKillTimeoutMs);
+    if (Number.isFinite(v) && v > 0) return v;
+  } catch { /* fall through to default */ }
+  return ENGINE_DEFAULTS.statusProbeKillTimeoutMs || 12000;
+}
+
 // W-mq5n1zx5 — Layer 2a: on Windows, kill any live `git.exe` descendants
 // whose command line points at the quarantine target path. We never
 // tracked the PID of the `git status --porcelain` child that the probe
 // timed out on, so we can't kill by PID — instead we shell out to
 // PowerShell's CIM cmdlets to find matching processes and Stop-Process
-// them. Cheap (<2s) and idempotent — if no descendants are alive, the
-// CIM query returns nothing and exits 0. POSIX is a no-op (the EBUSY
-// race is Windows-specific). Best-effort; failure is logged but never
-// blocks the quarantine.
+// them. POSIX is a no-op (the EBUSY race is Windows-specific). Best-effort;
+// failure is logged but never blocks the quarantine.
 function _killGitDescendantsForWorktree(worktreePath) {
   if (process.platform !== 'win32') return { killed: 0, skipped: true };
   if (!ENGINE_DEFAULTS.statusProbeKillDescendantsWin32) return { killed: 0, skipped: true };
@@ -1100,7 +1110,7 @@ function _killGitDescendantsForWorktree(worktreePath) {
     "if ($matches) { $matches | ForEach-Object { Stop-Process -Id $_.ProcessId -Force; $_.ProcessId }; }",
   ].join(' ');
   try {
-    const out = shared.execSilent(`powershell -NoProfile -Command "${ps.replace(/"/g, '\\"')}"`, { timeout: 2000, encoding: 'utf8' });
+    const out = shared.execSilent(`powershell -NoProfile -Command "${ps.replace(/"/g, '\\"')}"`, { timeout: _reapProbeTimeoutMs(), encoding: 'utf8' });
     const killed = String(out || '').split(/\r?\n/).map(s => s.trim()).filter(Boolean).length;
     if (killed > 0) log('info', `_killGitDescendantsForWorktree: killed ${killed} git.exe descendant(s) holding ${worktreePath}`);
     return { killed };
@@ -1110,6 +1120,188 @@ function _killGitDescendantsForWorktree(worktreePath) {
   }
 }
 
+// W-mqila0t5 — discover the dispatch id(s) that previously OWNED a worktree
+// path and are now TERMINAL (i.e. not pending/active). Used by Layer 1 of the
+// holder reaper to look up and kill the exact descendant tree the engine
+// itself spawned for this worktree. Reading from the dispatch store (all
+// sections) means we still find the owner after it has gone terminal — that's
+// precisely the orphan case (the prior failed dispatch left a CWD-pinning
+// child alive). Active/pending owners are deliberately EXCLUDED: a live owner
+// is handled by the isWorktreePathLive skip, never by a kill.
+// Injectable via _deps.readDispatchSectioned for testing.
+function _findTerminalWorktreeOwners(worktreePath, _deps = {}) {
+  if (!worktreePath) return [];
+  const target = shared._normalizeWorktreePath(worktreePath);
+  if (!target) return [];
+  let sectioned;
+  try {
+    const reader = typeof _deps.readDispatchSectioned === 'function'
+      ? _deps.readDispatchSectioned
+      : require('./engine/dispatch-store').readDispatchSectioned;
+    sectioned = reader();
+  } catch {
+    try {
+      sectioned = require(path.join(__dirname, 'engine', 'dispatch-store')).readDispatchSectioned();
+    } catch { return []; }
+  }
+  if (!sectioned || typeof sectioned !== 'object') return [];
+  const owners = [];
+  for (const [status, rows] of Object.entries(sectioned)) {
+    // Skip the live sections — a live owner must never be reaped here.
+    if (status === 'pending' || status === 'active') continue;
+    for (const rec of (Array.isArray(rows) ? rows : [])) {
+      if (!rec || !rec.id) continue;
+      const wt = rec.worktreePath || rec.meta?.worktreePath || '';
+      if (wt && shared._normalizeWorktreePath(wt) === target) {
+        if (!owners.includes(rec.id)) owners.push(rec.id);
+      }
+    }
+  }
+  return owners;
+}
+
+// W-mqila0t5 — broaden the pre-quarantine worktree-holder reaper to also close
+// the dir-PRESENT + CWD-pinned + EBUSY variant (the one firing in production
+// RIGHT NOW). The old path only nuked git.exe processes matched by command
+// line; the real lock holder is an ORPHANED AGENT PROCESS TREE (copilot/cmd/
+// node/powershell) whose CWD is the worktree root — invisible to a
+// command-line match and to file-handle detectors (the lock is a DIRECTORY
+// handle, not a file handle). Two complementary layers, both hard-gated:
+//
+//   Layer 0 — legacy git.exe-by-cmdline sweep (_killGitDescendantsForWorktree).
+//   Layer 1 — OWNERSHIP reap: for each TERMINAL dispatch that owned this
+//             worktree (plus an explicitly-supplied `ownerDispatchId`, used by
+//             the dispatch-end GC path where the owning dispatch is still
+//             'active' and so isn't found by terminal-owner discovery), kill
+//             its recorded root PID (from the PID file) plus the full
+//             descendant tree. Precise; can never touch a live sibling.
+//   Layer 2 — CWD-SCAN reap (fallback for orphans the map/PID files no longer
+//             track, e.g. after an engine restart): PEB-CWD probe finds procs
+//             whose CWD is under THIS worktree and kills them. Only ever reaps
+//             CWDs at/under THIS worktreePath — a sibling agent running in its
+//             OWN worktree is never touched.
+//
+// MANDATORY GATES: POSIX is a no-op; the master statusProbeKillDescendantsWin32
+// switch gates everything; and isWorktreePathLive(path,{excludeDispatchId})
+// must be false (fail-open: on SQL error / throw we SKIP the whole reap and
+// leak the worktree rather than risk nuking a live agent's unpushed work).
+// The live check is RE-RUN at kill time before Layer 2 (W-mqinlicl TOCTOU fix):
+// the PEB probe can take several seconds, and liveness flips on the engine
+// tick — a stale "not live" snapshot from the top of the function is unsafe to
+// kill on. Every probe is wrapped so an ETIMEDOUT / throw is swallowed (reap
+// nothing) and the caller (quarantine OR dispatch-end removal) still proceeds.
+function _reapWorktreeHolders(worktreePath, opts = {}) {
+  const result = { layer0: 0, layer1: 0, layer2: 0, skipped: false, reason: null };
+  const deps = opts._deps || {};
+  const platform = deps.platform || process.platform;
+  if (platform !== 'win32') { result.skipped = true; result.reason = 'posix'; return result; }
+  if (!ENGINE_DEFAULTS.statusProbeKillDescendantsWin32) { result.skipped = true; result.reason = 'disabled'; return result; }
+  if (!worktreePath) { result.skipped = true; result.reason = 'no-path'; return result; }
+
+  const excludeDispatchId = opts.excludeDispatchId || null;
+  const ownerDispatchId = opts.ownerDispatchId || null;
+  const isLiveFn = typeof deps.isWorktreePathLive === 'function' ? deps.isWorktreePathLive : shared.isWorktreePathLive;
+  const liveOpts = excludeDispatchId ? { excludeDispatchId } : {};
+  const killFn = typeof deps.kill === 'function' ? deps.kill : shared.killImmediate;
+  const listDescendantsFn = typeof deps.listProcessDescendants === 'function' ? deps.listProcessDescendants : shared.listProcessDescendants;
+  const findOwnersFn = typeof deps.findTerminalOwners === 'function' ? deps.findTerminalOwners : (wt) => _findTerminalWorktreeOwners(wt, deps);
+  const findPidFileFn = typeof deps.findDispatchPidFile === 'function' ? deps.findDispatchPidFile : shared.findDispatchPidFile;
+  const readPidFn = typeof deps.readPid === 'function' ? deps.readPid : (file) => {
+    try { return parseInt(String(fs.readFileSync(file, 'utf8')).trim(), 10); } catch { return null; }
+  };
+  const listCwdHoldersFn = typeof deps.findProcessCwdHolders === 'function' ? deps.findProcessCwdHolders : shared.findProcessCwdHolders;
+  // Layer 0 sweep is injectable so tests can exercise Layers 1/2 in isolation.
+  const layer0Fn = typeof deps.killGitDescendants === 'function' ? deps.killGitDescendants : _killGitDescendantsForWorktree;
+
+  // MANDATORY GATE — fail-open: any throw OR a live claim → skip the whole reap.
+  let live;
+  try { live = isLiveFn(worktreePath, liveOpts); }
+  catch (e) {
+    log('warn', `_reapWorktreeHolders: isWorktreePathLive threw for ${worktreePath} (${e.message}) — fail-open skip`);
+    result.skipped = true; result.reason = 'live-guard-threw';
+    return result;
+  }
+  if (live) { result.skipped = true; result.reason = 'live'; return result; }
+
+  // Layer 0 — legacy git.exe-by-cmdline sweep.
+  try { result.layer0 = (layer0Fn(worktreePath).killed) || 0; }
+  catch { /* best-effort */ }
+
+  // Layer 1 — ownership reap of terminal owners' (plus the supplied
+  // ownerDispatchId's) recorded PID trees. Fast (no external probe), so the
+  // top-of-function live check is still current here.
+  try {
+    const owners = new Set(findOwnersFn(worktreePath) || []);
+    if (ownerDispatchId) owners.add(ownerDispatchId);
+    const toKill = new Set();
+    for (const ownerId of owners) {
+      let rootPid = null;
+      try {
+        const pidFile = findPidFileFn(ownerId);
+        if (pidFile) rootPid = readPidFn(pidFile);
+      } catch { rootPid = null; }
+      if (!Number.isInteger(rootPid) || rootPid <= 0) continue;
+      toKill.add(rootPid);
+      try { for (const d of (listDescendantsFn(rootPid) || [])) toKill.add(d); }
+      catch { /* descendant enum best-effort */ }
+    }
+    for (const pid of toKill) {
+      if (!Number.isInteger(pid) || pid <= 0 || pid === process.pid) continue;
+      try { killFn({ pid }); result.layer1++; }
+      catch { /* keep reaping the rest */ }
+    }
+    if (result.layer1 > 0) {
+      log('info', `_reapWorktreeHolders: Layer 1 reaped ${result.layer1} recorded PID(s) for owner(s) of ${worktreePath}`);
+    }
+  } catch (e) {
+    log('warn', `_reapWorktreeHolders: Layer 1 ownership reap threw for ${worktreePath} (${e.message}) — continuing`);
+  }
+
+  // Layer 2 — CWD-scan reap (PEB probe). Fail-open: ETIMEDOUT / throw → [].
+  try {
+    const timeoutMs = _reapProbeTimeoutMs();
+    const target = shared._normalizeWorktreePath(worktreePath);
+    const holders = listCwdHoldersFn(worktreePath, { timeoutMs }) || [];
+    // TOCTOU re-check (W-mqinlicl §4): the PEB probe above can take several
+    // seconds, and a fresh dispatch can reuse this worktree mid-probe. Verified
+    // live: recon flagged a path as orphan-pinned, then the engine reused it ~2
+    // min later — killing on the stale snapshot would murder a live agent.
+    // Re-confirm liveness at kill time; fail-open (skip the Layer 2 kills, do
+    // NOT touch any PID) on a live claim OR on any SQL error/throw.
+    let stillLive;
+    try { stillLive = isLiveFn(worktreePath, liveOpts); }
+    catch (e) {
+      log('warn', `_reapWorktreeHolders: Layer 2 live re-check threw for ${worktreePath} (${e.message}) — fail-open, skipping Layer 2 kills`);
+      stillLive = true;
+    }
+    if (stillLive) {
+      result.layer2Skipped = 'live-at-kill-time';
+      log('warn', `_reapWorktreeHolders: Layer 2 skipped — ${worktreePath} went live during the CWD probe (TOCTOU guard)`);
+    } else {
+      for (const h of holders) {
+        const pid = Number(h && h.pid);
+        if (!Number.isInteger(pid) || pid <= 0 || pid === process.pid) continue;
+        // Defense-in-depth: NEVER reap a holder whose reported CWD resolves
+        // under a DIFFERENT worktree (a live sibling agent). The probe already
+        // filters, but re-confirm here so a stub / future caller can't widen it.
+        if (h && h.cwd && target) {
+          const c = shared._normalizeWorktreePath(h.cwd);
+          if (c && c !== target && !c.startsWith(target + '/')) continue;
+        }
+        try { killFn({ pid }); result.layer2++; }
+        catch { /* keep reaping the rest */ }
+      }
+      if (result.layer2 > 0) {
+        log('info', `_reapWorktreeHolders: Layer 2 reaped ${result.layer2} CWD-pinning process(es) under ${worktreePath}`);
+      }
+    }
+  } catch (e) {
+    log('warn', `_reapWorktreeHolders: Layer 2 CWD-scan reap threw for ${worktreePath} (${e.message}) — continuing (caller proceeds)`);
+  }
+
+  return result;
+}
+
 // W-mq5n1zx5 — Layer 3a: bump the rolling counters for quarantine rename
 // outcomes (attempts, success, successAfterRetry, fallbackForceRemove,
 // totalFailure). Best-effort; metrics failures must not break the
@@ -1473,12 +1665,18 @@ async function _quarantineDirtyWorktree(rootDir, worktreePath, branchName, gitOp
     return { quarantinedPath: null, backupRef: null, skipped: true };
   }
 
-  // W-mq5n1zx5 Layer 2a: pre-emptively kill any git.exe descendants whose
-  // command line points at the worktree. The status-probe child that timed
-  // out earlier may still be alive holding packfile handles; if so, the
-  // rename below will fail with EBUSY/EPERM until the descendant exits.
-  // POSIX is a no-op. Best-effort; failure here is non-fatal.
-  _killGitDescendantsForWorktree(worktreePath);
+  // W-mq5n1zx5 / W-mqila0t5 Layer 0–2: pre-emptively reap any process holding
+  // the worktree dir before we rename it. The status-probe child that timed out
+  // earlier may still hold packfile handles (Layer 0: git.exe by cmdline), and —
+  // the variant firing in production — an ORPHANED AGENT PROCESS TREE
+  // (copilot/cmd/node/powershell) from the prior failed dispatch may still be
+  // alive with its CWD set to the worktree root, pinning the dir so rename AND
+  // `git worktree remove --force` both return EBUSY. Layer 1 reaps the recorded
+  // PID tree of any terminal owning dispatch; Layer 2 PEB-scans for any process
+  // whose CWD is under this worktree. All layers are Windows-only, gated on the
+  // live-worktree guard, and fail-open — failure here is non-fatal and the
+  // quarantine still proceeds to its rename / force-remove fallback.
+  _reapWorktreeHolders(worktreePath, { excludeDispatchId: diag.dispatchId });
 
   // W-mq5n1zx5 Layer 1a: rename with jittered backoff. Replaces the bare
   // `fs.renameSync(worktreePath, quarantinedPath)` that used to throw
@@ -2466,14 +2664,31 @@ async function spawnAgent(dispatchItem, config) {
                         log('info', `Branch ${branchName} already checked out at ${existingWtPath} — reusing`);
                         worktreePath = existingWtPath;
                         worktreeReused = true;
-                      } else if (existingWtPath && !fs.existsSync(existingWtPath)) {
-                        log('warn', `Branch ${branchName} tracked in missing dir ${existingWtPath} — pruning and recreating`);
-                        try { await shared.shellSafeGit(['worktree', 'prune'], { ..._gitOpts, cwd: rootDir, timeout: 10000 }); } catch (e) { log('warn', 'git: ' + e.message); }
-                        await runWorktreeAdd(rootDir, worktreePath, [branchName], _worktreeGitOpts, worktreeCreateRetries);
-                        log('info', `Recovered worktree for ${branchName} after stale entry prune`);
                       } else {
-                        try { await shared.shellSafeGit(['worktree', 'prune'], { ..._gitOpts, cwd: rootDir, timeout: 10000 }); } catch (e) { log('warn', 'git: ' + e.message); }
-                        await runWorktreeAdd(rootDir, worktreePath, [branchName], _worktreeGitOpts, worktreeCreateRetries);
+                        // Gap B (W-mqifblkf00149df5): the branch is registered to a
+                        // worktree whose backing dir is MISSING — either
+                        // findExistingWorktree returned null (it filters missing
+                        // dirs) or it resolved a non-null path that no longer
+                        // exists. A plain `git worktree prune` SKIPS locked:
+                        // initializing entries BY DESIGN, so a crash-left stale
+                        // entry survives and the retry fails identically, bricking
+                        // the branch for every future dispatch. Route through the
+                        // remove -f -f reaper (pruneStaleWorktreeForBranch),
+                        // mirroring the _branchOnRemote === true recovery above, so
+                        // BOTH paths can reap locked-initializing missing-dir entries.
+                        const pruned = await pruneStaleWorktreeForBranch(rootDir, branchName, _gitOpts);
+                        if (pruned > 0) {
+                          log('info', `Pruned ${pruned} stale worktree entry(ies) for ${branchName}; retrying worktree add`);
+                          await runWorktreeAdd(rootDir, worktreePath, [branchName], _worktreeGitOpts, 0);
+                          log('info', `Recovered worktree for ${branchName} after stale entry prune`);
+                        } else {
+                          // Prune was a no-op — the holder is a real worktree
+                          // (at-or-inside project root, or git's view drifted).
+                          // Surface non-retryably with the holder path.
+                          const holder = _parseAlreadyUsedHolderPath(e2.message) || _parseAlreadyUsedHolderPath(e1.message);
+                          if (holder) { _failBranchHeldByExternalWorktree(branchName, holder, e2); return null; }
+                          throw e2;
+                        }
                       }
                     } else {
                       throw e2;
@@ -4668,6 +4883,10 @@ async function spawnAgent(dispatchItem, config) {
           // default worktreePoolSize:0 config. Pool-return uses the same
           // plumbing; this is the matching wiring on the orphan-GC side.
           excludeDispatchId: id,
+          // W-mqinlicl §6 — reap THIS dispatch's own orphaned descendant tree
+          // (CWD-pinning copilot/node/cmd children) before removeWorktree, so
+          // dispatch-end GC doesn't EBUSY/EPERM/ETIMEDOUT on a tree we spawned.
+          reapHolders: (wt, o) => _reapWorktreeHolders(wt, o),
           log,
         });
         if (_gcResult.outcome === 'gc') {
@@ -8874,8 +9093,9 @@ async function tickInner() {
       const { runPeriodicWorktreeSweep } = require('./engine/cleanup');
       const stats = runPeriodicWorktreeSweep(config);
       const totalEvicted = (stats.evicted || 0) + (stats.outOfRootEvicted || 0);
-      if (totalEvicted > 0 || stats.failed > 0) {
-        log('info', `worktree-prune sweep: scanned=${stats.scanned} evicted=${stats.evicted} outOfRootEvicted=${stats.outOfRootEvicted} kept=${stats.kept} failed=${stats.failed} prunedRegistry=${stats.prunedRegistry}`);
+      const reclaimed = stats.missingDirReclaimed || 0;
+      if (totalEvicted > 0 || stats.failed > 0 || reclaimed > 0) {
+        log('info', `worktree-prune sweep: scanned=${stats.scanned} evicted=${stats.evicted} outOfRootEvicted=${stats.outOfRootEvicted} kept=${stats.kept} failed=${stats.failed} prunedRegistry=${stats.prunedRegistry} missingDirReclaimed=${reclaimed} missingDirSkippedLive=${stats.missingDirSkippedLive || 0}`);
       }
     });
     if (_isTickStale(myGeneration)) return;
@@ -9758,6 +9978,7 @@ module.exports = {
   buildDepConflictFixItem, deriveConflictFixKey, // exported for testing (W-mpcwojgr000a0244)
   isWorktreeRetryableError, removeStaleIndexLock, syncReusedWorktree, assertCleanSharedWorktree, _quarantineDirtyWorktree, // exported for testing
   _renameWithRetry, _statusPorcelainCmd, _killGitDescendantsForWorktree, _bumpQuarantineOutcome, // exported for testing (W-mq5n1zx5)
+  _reapWorktreeHolders, _findTerminalWorktreeOwners, // exported for testing (W-mqila0t5 — CWD-pinned holder reap)
   pruneStaleWorktreeForBranch, // exported for testing
   findExistingWorktree, // exported for testing
   probeBranchOnRemote, // exported for testing (W-mphnm6a1000281b8)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@yemi33/minions",
-  "version": "0.1.2219",
+  "version": "0.1.2221",
   "description": "Multi-agent AI dev team that runs from ~/.minions/ — five autonomous agents share a single engine, dashboard, and knowledge base",
   "bin": {
     "minions": "bin/minions.js"