aidevops 3.11.17 → 3.13.0

package/VERSION

@@ -1 +1 @@
-3.11.17
+3.13.0

package/aidevops.sh

@@ -5,7 +5,7 @@
 # AI DevOps Framework CLI
 # Usage: aidevops <command> [options]
 #
-# Version: 3.11.17
+# Version: 3.13.0
 
 set -euo pipefail
 
@@ -480,6 +480,46 @@ _update_check_homebrew() {
 	return 0
 }
 
+# t2926 / GH#21102: Re-check setsid on every 'aidevops update' run.
+# setsid (from util-linux) is required to detach pulse workers into their own
+# process group — without it, every pulse restart sends SIGHUP to its PGID,
+# killing in-flight workers. This check runs even when setup.sh is skipped
+# (already up-to-date path), so Homebrew drift doesn't silently break workers.
+_update_check_setsid() {
+	command -v setsid >/dev/null 2>&1 && return 0
+
+	# setsid is missing. On macOS with Homebrew, auto-install util-linux.
+	# Use a boolean flag to avoid repeating the OS literal string.
+	local _on_mac=false
+	[[ "$(uname -s)" == Darwin* ]] && _on_mac=true
+	if $_on_mac && command -v brew >/dev/null 2>&1; then
+		print_info "setsid not found — installing util-linux for worker PGID isolation (GH#21102)"
+		if brew install util-linux 2>&1 | tail -3; then
+			local brew_prefix=""
+			brew_prefix="$(brew --prefix 2>/dev/null || true)"
+			local keg_setsid="${brew_prefix}/opt/util-linux/bin/setsid"
+			local link_target="${brew_prefix}/bin/setsid"
+			if [[ -x "$keg_setsid" && ! -e "$link_target" ]]; then
+				ln -s "$keg_setsid" "$link_target" && \
+					print_success "Symlinked setsid: $keg_setsid → $link_target"
+			fi
+			if command -v setsid >/dev/null 2>&1; then
+				print_success "setsid installed at $(command -v setsid) (worker PGID isolation enabled)"
+			else
+				print_error "util-linux installed but setsid still not in PATH — check brew --prefix"
+			fi
+		else
+			print_error "brew install util-linux failed — workers will share pulse PGID until resolved"
+		fi
+	elif $_on_mac; then
+		print_error "setsid not found — worker isolation broken; install Homebrew then run: brew install util-linux"
+	else
+		print_error "setsid not found — worker isolation broken; install util-linux via your distro package manager"
+	fi
+
+	return 0
+}
+
 # Verify supply chain signature after pulling framework updates.
 # Checks that the HEAD commit is signed by the trusted maintainer key.
 # Non-blocking: warns on failure, does not abort the update.
@@ -638,6 +678,8 @@ cmd_update() {
 	_update_check_planning
 	_update_check_tools
 	_update_sweep_opencode_symlinks
+	# t2926: Re-check setsid on every update (runs even when setup.sh is skipped).
+	_update_check_setsid
 
 	# t2898: When invoked interactively (terminal stdin AND not from the
 	# auto-update daemon itself, which sets AIDEVOPS_AUTO_UPDATE=1 in its
@@ -1456,10 +1498,13 @@ _help_commands() {
 	echo "  approve <cmd>      Cryptographic issue/PR approval (setup/issue/pr/verify/status)"
 	echo "  security [cmd]     Full security assessment (posture + hygiene + supply chain)"
 	echo "  contributions      External contributions inbox (bare: status | seed/scan/stop/restart/install/uninstall)"
+	echo "  inbox [cmd]        Capture transit zone (bare: status | provision/add/find/digest/help)"
+	echo "  email [cmd]        Email mailbox management (mailbox add/list/test/remove)"
 	echo "  ip-check <cmd>     IP reputation checks (check/batch/report/providers)"
 	echo "  review-gate <cmd>  Configure review_gate.rate_limit_behavior (list/set/unset)"
 	echo "  secret <cmd>       Manage secrets (set/list/run/init/import/status)"
 	echo "  config <cmd>       Feature toggles (list/get/set/reset/path/help)"
+	echo "  knowledge <cmd>    Knowledge plane management (init/status/provision)"
 	echo "  stats <cmd>        LLM usage analytics (summary/models/projects/costs/trend)"
 	echo "  tabby <cmd>        Manage Tabby terminal profiles (sync/status/zshrc/help)"
 	echo "  parent-status <N>  Show decomposition state of parent-task issue #N (alias: ps)"
@@ -1539,6 +1584,13 @@ _help_detailed_sections() {
 	echo "  aidevops config reset [key]  # Reset toggle(s) to defaults"
 	echo "  aidevops config path         # Show config file path"
 	echo ""
+	echo "Knowledge Plane:"
+	echo "  aidevops knowledge init repo           # Provision _knowledge/ in current repo"
+	echo "  aidevops knowledge init personal       # Provision at ~/.aidevops/.agent-workspace/knowledge/"
+	echo "  aidevops knowledge init off            # Disable knowledge plane"
+	echo "  aidevops knowledge status              # Show provisioning state"
+	echo "  aidevops knowledge provision [path]    # Re-provision (idempotent)"
+	echo ""
 	echo "LLM Stats:"
 	echo "  aidevops stats               # Show usage summary (last 30 days)"
 	echo "  aidevops stats summary       # Overall usage summary"
@@ -1745,6 +1797,71 @@ _cmd_security() {
 	return 0
 }
 
+# Route 'aidevops email [subcommand]' to email helpers
+_cmd_email() {
+	local sub="${1:-help}"
+	local _EPH="email-poll-helper.sh"
+	shift || true
+	case "$sub" in
+	mailbox)
+		local action="${1:-list}"
+		shift || true
+		local _EMR_HELPER="email-mailbox-register-helper.sh"
+		case "$action" in
+		add)      _dispatch_helper "$_EMR_HELPER" "$_EMR_HELPER" add "$@" ;;
+		list)     _dispatch_helper "$_EPH" "$_EPH" list "$@" ;;
+		test)     _dispatch_helper "$_EPH" "$_EPH" test "$@" ;;
+		remove)   _dispatch_helper "$_EMR_HELPER" "$_EMR_HELPER" remove "$@" ;;
+		*)
+			echo "Usage: aidevops email mailbox <add|list|test|remove>"
+			echo ""
+			echo "Mailbox subcommands:"
+			echo "  add           Interactive: prompt for provider, user, gopass path; test connection"
+			echo "  list          Table of mailboxes with last-polled-at and last-error"
+			echo "  test <id>     Dry-run fetch (1 message); does not commit state"
+			echo "  remove <id>   Un-register a mailbox"
+			;;
+		esac
+		;;
+	poll)
+		# Direct poll commands forwarded to email-poll-helper.sh
+		local poll_action="${1:-tick}"
+		shift || true
+		_dispatch_helper "$_EPH" "$_EPH" "$poll_action" "$@" ;;
+	thread)
+		# Thread lookup: email thread <message-id> [knowledge-root]
+		local _ETH="email-thread-helper.sh"
+		_dispatch_helper "$_ETH" "$_ETH" thread "$@" ;;
+	build)
+		# Thread rebuild: email build [knowledge-root] [--force]
+		local _ETH2="email-thread-helper.sh"
+		_dispatch_helper "$_ETH2" "$_ETH2" build "$@" ;;
+	filter)
+		# Filter rules: email filter tick|add|test|list [knowledge-root]
+		local _EFH="email-filter-helper.sh"
+		[[ $# -eq 0 ]] && set -- list
+		_dispatch_helper "$_EFH" "$_EFH" "$@" ;;
+	*)
+		echo "Usage: aidevops email <mailbox|poll|thread|build|filter> [subcommand]"
+		echo ""
+		echo "Email subcommands:"
+		echo "  mailbox add              Register a new IMAP mailbox (interactive)"
+		echo "  mailbox list             Show all mailboxes + polling status"
+		echo "  mailbox test <id>        Dry-run connection test"
+		echo "  mailbox remove <id>      Un-register a mailbox"
+		echo "  poll tick                Poll all mailboxes now (same as routine r044)"
+		echo "  poll backfill <id>       Backfill a mailbox from a given date"
+		echo "  thread <message-id>      Look up thread by message-id"
+		echo "  build [--force]          Rebuild thread index from email sources"
+		echo "  filter list              List filter rules"
+		echo "  filter add               Add a new filter rule (interactive)"
+		echo "  filter test <rule>       Dry-run rule against last 50 sources"
+		echo "  filter tick              Run filter pass (routine r045)"
+		;;
+	esac
+	return 0
+}
+
 # Route 'aidevops client-format [subcommand]' to appropriate helpers
 _cmd_client_format() {
 	case "${1:-status}" in
@@ -1835,10 +1952,22 @@ main() {
 		[[ $# -eq 0 ]] && set -- status
 		_dispatch_helper "contribution-watch-helper.sh" "contribution-watch-helper.sh" "$@"
 		;;
+	inbox)
+		# Bare `aidevops inbox` defaults to status (most common use).
+		[[ $# -eq 0 ]] && set -- status
+		_dispatch_helper "inbox-helper.sh" "inbox-helper.sh" "$@"
+		;;
+	case | cases)
+		# Bare `aidevops case` defaults to list (most common use).
+		[[ $# -eq 0 ]] && set -- list
+		_dispatch_helper "case-helper.sh" "case-helper.sh" "$@"
+		;;
+	email) _cmd_email "$@" ;;
 	stats | observability) _dispatch_helper "observability-helper.sh" "observability-helper.sh" "$@" ;;
 	tabby) _dispatch_helper "tabby-helper.sh" "tabby-helper.sh" "$@" ;;
 	init-routines) _dispatch_helper "init-routines-helper.sh" "init-routines-helper.sh" "$@" ;;
 	parent-status | ps) _dispatch_helper "parent-status-helper.sh" "parent-status-helper.sh" "$@" ;;
+	knowledge) _dispatch_helper "knowledge-helper.sh" "knowledge-helper.sh" "$@" ;;
 	config | configure) _dispatch_config "$@" ;;
 	uninstall | remove) cmd_uninstall ;;
 	version | v | -v | --version) cmd_version ;;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "aidevops",
-  "version": "3.11.17",
+  "version": "3.13.0",
   "description": "AI DevOps Framework - AI-assisted development workflows, code quality, and deployment automation",
   "type": "module",
   "bin": {

package/setup-modules/schedulers.sh

@@ -14,6 +14,11 @@ PULSE_STALE_THRESHOLD_SECONDS=1800
 # future cadence shift only touches one place.
 CRON_HOURLY="0 * * * *"
 
+# Cron expression: every minute. Shared by process-guard, memory-pressure
+# monitor, and pulse-watchdog schedulers (cron's minimum granularity).
+# Kept DRY for the same reason as CRON_HOURLY.
+CRON_EVERY_MINUTE="* * * * *"
+
 # Resolve the modern bash binary path for use in launchd ProgramArguments.
 # Launchd bypasses the shebang when ProgramArguments specifies an explicit
 # interpreter, so we must resolve the path at plist generation time.
@@ -668,7 +673,12 @@ ${_env_overrides_xml}	</dict>
 	<key>RunAtLoad</key>
 	<true/>
 	<key>KeepAlive</key>
-	<false/>
+	<dict>
+		<key>SuccessfulExit</key>
+		<false/>
+	</dict>
+	<key>ThrottleInterval</key>
+	<integer>30</integer>
 </dict>
 </plist>
 PLIST
@@ -703,6 +713,17 @@ _install_pulse_launchd() {
 		_interval_label="${_interval_sec}s"
 	fi
 
+	# One-time legacy cleanup: unload and remove the old-label plist if present.
+	# Users on stale installs may have com.aidevops.supervisor-pulse (legacy) and
+	# com.aidevops.aidevops-supervisor-pulse (current) both loaded, causing 2x
+	# dispatch.  Only targets the hardcoded legacy path; idempotent — no-op when
+	# the legacy file is absent.
+	local _legacy_plist="$HOME/Library/LaunchAgents/com.aidevops.supervisor-pulse.plist"
+	if [[ -f "$_legacy_plist" ]]; then
+		launchctl unload "$_legacy_plist" 2>/dev/null || true
+		rm -f "$_legacy_plist"
+	fi
+
 	# _launchd_install_if_changed handles unload-before-replace only when content
 	# has changed, and writes atomically via tmp+rename (see setup.sh).
 	# shell-portability: ignore next — _install_pulse_launchd is macOS-only (launchd)
@@ -720,6 +741,161 @@ _install_pulse_launchd() {
 	return 0
 }
 
+# Generate the pulse-watchdog launchd plist XML content.
+# Args: $1=label, $2=tick_script, $3=bash_bin
+# Prints the complete plist XML to stdout.
+#
+# The watchdog is an independent launchd job that runs every 60s and revives
+# pulse if it has been dead longer than (StartInterval + grace). Layered
+# defense alongside the pulse plist's KeepAlive=<dict><SuccessfulExit=false>
+# (auto-restart on crash) and StartInterval (scheduled cadence). Catches the
+# "clean exit + lost launchd schedule" failure mode that no other layer covers.
+# (t2939)
+_generate_pulse_watchdog_plist_content() {
+	local watchdog_label="$1"
+	local tick_script="$2"
+	local bash_bin="$3"
+
+	local _xml_label _xml_tick _xml_bash _xml_home _xml_path
+	_xml_label=$(_xml_escape "$watchdog_label")
+	_xml_tick=$(_xml_escape "$tick_script")
+	_xml_bash=$(_xml_escape "$bash_bin")
+	_xml_home=$(_xml_escape "$HOME")
+	_xml_path=$(_xml_escape "$PATH")
+
+	cat <<PLIST
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>Label</key>
+	<string>${_xml_label}</string>
+	<key>ProgramArguments</key>
+	<array>
+		<string>${_xml_bash}</string>
+		<string>${_xml_tick}</string>
+	</array>
+	<key>StartInterval</key>
+	<integer>60</integer>
+	<key>StandardOutPath</key>
+	<string>${_xml_home}/.aidevops/logs/pulse-watchdog-launchd.log</string>
+	<key>StandardErrorPath</key>
+	<string>${_xml_home}/.aidevops/logs/pulse-watchdog-launchd.log</string>
+	<key>EnvironmentVariables</key>
+	<dict>
+		<key>PATH</key>
+		<string>${_xml_path}</string>
+		<key>HOME</key>
+		<string>${_xml_home}</string>
+	</dict>
+	<key>RunAtLoad</key>
+	<true/>
+	<key>KeepAlive</key>
+	<false/>
+	<key>ThrottleInterval</key>
+	<integer>30</integer>
+</dict>
+</plist>
+PLIST
+	return 0
+}
+
+# Install the pulse-watchdog via launchd (macOS).
+# t2939: independent revival mechanism — see _generate_pulse_watchdog_plist_content
+# header for the layering rationale.
+_install_pulse_watchdog_launchd() {
+	local watchdog_label="sh.aidevops.pulse-watchdog"
+	local tick_script="$HOME/.aidevops/agents/scripts/pulse-watchdog-tick.sh"
+	local watchdog_plist="$HOME/Library/LaunchAgents/${watchdog_label}.plist"
+
+	# Refuse to install if the tick script is missing — the watchdog would
+	# fire-and-fail every 60s, polluting logs without doing useful work.
+	if [[ ! -x "$tick_script" ]]; then
+		print_warning "Pulse watchdog tick script missing or non-executable: $tick_script"
+		return 1
+	fi
+
+	local _xml_bash_bin
+	_xml_bash_bin=$(_resolve_modern_bash)
+
+	local watchdog_plist_content
+	watchdog_plist_content=$(_generate_pulse_watchdog_plist_content "$watchdog_label" "$tick_script" "$_xml_bash_bin")
+
+	if [[ -z "$watchdog_plist_content" ]]; then
+		print_warning "Pulse watchdog plist generation produced empty content — skipping"
+		return 1
+	fi
+
+	# shell-portability: ignore next — _install_pulse_watchdog_launchd is macOS-only
+	if _launchd_install_if_changed "$watchdog_label" "$watchdog_plist" "$watchdog_plist_content"; then
+		print_info "Pulse watchdog enabled (launchd, every 60s)"
+	else
+		print_warning "Failed to load pulse watchdog LaunchAgent"
+	fi
+	return 0
+}
+
+# Install the pulse-watchdog via systemd (Linux).
+# t2939: parallels _install_pulse_watchdog_launchd for systems with systemd --user.
+_install_pulse_watchdog_systemd() {
+	local tick_script="$HOME/.aidevops/agents/scripts/pulse-watchdog-tick.sh"
+	local watchdog_systemd="aidevops-pulse-watchdog"
+	local watchdog_log="$HOME/.aidevops/logs/pulse-watchdog-launchd.log"
+
+	if [[ ! -x "$tick_script" ]]; then
+		print_warning "Pulse watchdog tick script missing or non-executable: $tick_script"
+		return 1
+	fi
+
+	# Reuse the standard scheduler installer (cron-fallback aware).
+	# StartInterval=60 maps to every-minute cron schedule.
+	# shell-portability: ignore next — _install_scheduler_linux is Linux-only
+	_install_scheduler_linux \
+		"$watchdog_systemd" \
+		"aidevops: pulse-watchdog" \
+		"$CRON_EVERY_MINUTE" \
+		"\"${tick_script}\"" \
+		"60" \
+		"$watchdog_log" \
+		"" \
+		"Pulse watchdog enabled (every 60s)" \
+		"Failed to install pulse watchdog scheduler" \
+		"true" \
+		"false"
+	return 0
+}
+
+# Setup the pulse-watchdog scheduler (parallels setup_supervisor_pulse).
+# t2939: layered defense — only installs when supervisor pulse is enabled,
+# since a watchdog without a pulse to watch is a no-op every 60s.
+#
+# Args: $1 = pulse effective state ("true"/"false")
+setup_pulse_watchdog() {
+	local _pulse_effective="$1"
+	local watchdog_label="sh.aidevops.pulse-watchdog"
+	local watchdog_systemd="aidevops-pulse-watchdog"
+
+	if [[ "$_pulse_effective" != "true" ]]; then
+		# Pulse disabled — uninstall the watchdog if present.
+		_uninstall_scheduler \
+			"$(uname -s)" \
+			"$watchdog_label" \
+			"$watchdog_systemd" \
+			"aidevops: pulse-watchdog" \
+			"Pulse watchdog disabled (pulse is off)"
+		return 0
+	fi
+
+	mkdir -p "$HOME/.aidevops/logs"
+
+	if [[ "$(uname -s)" == "Darwin" ]]; then
+		_install_pulse_watchdog_launchd
+	else
+		_install_pulse_watchdog_systemd
+	fi
+	return 0
+}
+
 # Check if systemd user services are available on this Linux system.
 # Returns 0 if systemd --user is functional, 1 otherwise.
 _systemd_user_available() {
@@ -1341,7 +1517,7 @@ GUARD_PLIST
 		_install_scheduler_linux \
 			"$guard_systemd" \
 			"aidevops: process-guard" \
-			"* * * * *" \
+			"$CRON_EVERY_MINUTE" \
 			"\"${guard_script}\" kill-runaways" \
 			"30" \
 			"$guard_log" \
@@ -1433,7 +1609,7 @@ MONITOR_PLIST
 		_install_scheduler_linux \
 			"$monitor_systemd" \
 			"aidevops: memory-pressure-monitor" \
-			"* * * * *" \
+			"$CRON_EVERY_MINUTE" \
 			"\"${monitor_script}\"" \
 			"60" \
 			"$monitor_log" \
@@ -1799,6 +1975,118 @@ setup_complexity_scan() {
 	return 0
 }
 
+# Install pulse-merge-routine launchd plist (macOS).
+# Args: $1=label $2=script $3=log_dir
+_install_pulse_merge_routine_launchd() {
+	local pmr_label="$1"
+	local pmr_script="$2"
+	local _pmr_log_dir="$3"
+	local pmr_plist="$HOME/Library/LaunchAgents/${pmr_label}.plist"
+
+	local _xml_pmr_script _xml_pmr_home _xml_pmr_log_dir
+	_xml_pmr_script=$(_xml_escape "$pmr_script")
+	_xml_pmr_home=$(_xml_escape "$HOME")
+	_xml_pmr_log_dir=$(_xml_escape "$_pmr_log_dir")
+
+	local pmr_plist_content
+	pmr_plist_content=$(
+		cat <<PMR_PLIST
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>Label</key>
+	<string>${pmr_label}</string>
+	<key>ProgramArguments</key>
+	<array>
+		<string>$(_xml_escape "$(_resolve_modern_bash)")</string>
+		<string>${_xml_pmr_script}</string>
+		<string>run</string>
+	</array>
+	<key>StartInterval</key>
+	<integer>120</integer>
+	<key>StandardOutPath</key>
+	<string>${_xml_pmr_log_dir}/pulse-merge-routine.log</string>
+	<key>StandardErrorPath</key>
+	<string>${_xml_pmr_log_dir}/pulse-merge-routine.log</string>
+	<key>EnvironmentVariables</key>
+	<dict>
+		<key>PATH</key>
+		<string>/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin</string>
+		<key>HOME</key>
+		<string>${_xml_pmr_home}</string>
+	</dict>
+	<key>RunAtLoad</key>
+	<true/>
+	<key>KeepAlive</key>
+	<false/>
+	<key>ProcessType</key>
+	<string>Background</string>
+	<key>LowPriorityBackgroundIO</key>
+	<true/>
+	<key>Nice</key>
+	<integer>10</integer>
+</dict>
+</plist>
+PMR_PLIST
+	)
+
+	if _launchd_install_if_changed "$pmr_label" "$pmr_plist" "$pmr_plist_content"; then
+		print_info "Pulse merge routine enabled (launchd, every 2 min)"
+	else
+		print_warning "Failed to load pulse merge routine LaunchAgent"
+	fi
+	return 0
+}
+
+# Install pulse-merge-routine via systemd or cron (Linux).
+# Args: $1=script path, $2=log dir
+_install_pulse_merge_routine_linux() {
+	local pmr_script="$1"
+	local _pmr_log_dir="$2"
+	local pmr_systemd="aidevops-pulse-merge-routine"
+	_install_scheduler_linux \
+		"$pmr_systemd" \
+		"aidevops: pulse-merge-routine" \
+		"*/2 * * * *" \
+		"\"${pmr_script}\" run" \
+		"120" \
+		"${_pmr_log_dir}/pulse-merge-routine.log" \
+		"" \
+		"Pulse merge routine enabled (every 2 min)" \
+		"Failed to install pulse merge routine scheduler" \
+		"true" \
+		"true"
+	return 0
+}
+
+# Setup pulse merge routine (t2862, GH#20919) — runs merge_ready_prs_all_repos()
+# as a fast 120s standalone routine, decoupled from the monolithic pulse cycle.
+# The pulse cycle's preflight stack (60-470s) meant the merge pass ran only ~7
+# times/24h despite ~40+ cycles. This routine ensures green PRs merge within ~3
+# min of CI completion. The in-cycle merge call in pulse-wrapper.sh is kept as
+# defense-in-depth but short-circuits when this routine ran within the last 60s.
+setup_pulse_merge_routine() {
+	local pmr_script="$HOME/.aidevops/agents/scripts/pulse-merge-routine.sh"
+	local pmr_label="sh.aidevops.pulse-merge-routine"
+	if ! [[ -x "$pmr_script" ]]; then
+		return 0
+	fi
+
+	# Reuse contribution-watch's log-dir resolver (same logic, same config key).
+	local _pmr_log_dir
+	_pmr_log_dir=$(_resolve_cw_log_dir) || return 1
+	mkdir -p "$_pmr_log_dir"
+
+	# Install/update scheduled runner
+	if [[ "$(uname -s)" == "Darwin" ]]; then
+		_install_pulse_merge_routine_launchd "$pmr_label" "$pmr_script" "$_pmr_log_dir"
+	else
+		_install_pulse_merge_routine_linux "$pmr_script" "$_pmr_log_dir"
+	fi
+	return 0
+}
+
 # Setup draft responses — private repo + local draft storage for reviewing
 # AI-drafted replies to external contributions (t1555).
 # Respects config: aidevops config set orchestration.draft_responses false
@@ -2276,3 +2564,126 @@ setup_repo_aidevops_health() {
 	fi
 	return 0
 }
+
+# ============================================================================
+# Peer productivity monitor (t2932)
+# ============================================================================
+#
+# Adaptive cross-runner dispatch coordination: observes peer GitHub activity
+# every 30 min and updates ~/.config/aidevops/dispatch-override.conf to
+# `ignore` peers whose pulse is broken (claims issues but never PRs) and
+# back to `honour` when they recover. Self-healing across the ecosystem —
+# each runner observes peers independently, no central coordinator needed.
+# Manual entries in dispatch-override.conf above the auto-managed marker
+# always take precedence.
+
+# Install peer-productivity-monitor launchd plist (macOS).
+# Args: $1=label $2=script $3=log_dir
+_install_peer_productivity_monitor_launchd() {
+	local ppm_label="$1"
+	local ppm_script="$2"
+	local _ppm_log_dir="$3"
+	local ppm_plist="$HOME/Library/LaunchAgents/${ppm_label}.plist"
+
+	local _xml_ppm_script _xml_ppm_home _xml_ppm_log_dir
+	_xml_ppm_script=$(_xml_escape "$ppm_script")
+	_xml_ppm_home=$(_xml_escape "$HOME")
+	_xml_ppm_log_dir=$(_xml_escape "$_ppm_log_dir")
+
+	local ppm_plist_content
+	ppm_plist_content=$(
+		cat <<PPM_PLIST
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>Label</key>
+	<string>${ppm_label}</string>
+	<key>ProgramArguments</key>
+	<array>
+		<string>$(_xml_escape "$(_resolve_modern_bash)")</string>
+		<string>${_xml_ppm_script}</string>
+		<string>observe</string>
+	</array>
+	<key>StartInterval</key>
+	<integer>1800</integer>
+	<key>StandardOutPath</key>
+	<string>${_xml_ppm_log_dir}/peer-productivity-launchd.log</string>
+	<key>StandardErrorPath</key>
+	<string>${_xml_ppm_log_dir}/peer-productivity-launchd.log</string>
+	<key>EnvironmentVariables</key>
+	<dict>
+		<key>PATH</key>
+		<string>/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin</string>
+		<key>HOME</key>
+		<string>${_xml_ppm_home}</string>
+	</dict>
+	<key>RunAtLoad</key>
+	<true/>
+	<key>KeepAlive</key>
+	<false/>
+	<key>ProcessType</key>
+	<string>Background</string>
+	<key>LowPriorityBackgroundIO</key>
+	<true/>
+	<key>Nice</key>
+	<integer>10</integer>
+</dict>
+</plist>
+PPM_PLIST
+	)
+
+	if _launchd_install_if_changed "$ppm_label" "$ppm_plist" "$ppm_plist_content"; then
+		print_info "Peer productivity monitor enabled (launchd, every 30 min)"
+	else
+		print_warning "Failed to load peer-productivity-monitor LaunchAgent"
+	fi
+	return 0
+}
+
+# Install peer-productivity-monitor via systemd or cron (Linux).
+# Args: $1=script path, $2=log dir
+_install_peer_productivity_monitor_linux() {
+	local ppm_script="$1"
+	local _ppm_log_dir="$2"
+	local ppm_systemd="aidevops-peer-productivity-monitor"
+	_install_scheduler_linux \
+		"$ppm_systemd" \
+		"aidevops: peer-productivity-monitor" \
+		"*/30 * * * *" \
+		"\"${ppm_script}\" observe" \
+		"1800" \
+		"${_ppm_log_dir}/peer-productivity-launchd.log" \
+		"" \
+		"Peer productivity monitor enabled (every 30 min)" \
+		"Failed to install peer-productivity-monitor scheduler" \
+		"true" \
+		"true"
+	return 0
+}
+
+# Setup peer-productivity-monitor (t2932) — observes peer GitHub activity
+# every 30 min and updates ~/.config/aidevops/dispatch-override.conf so the
+# local pulse competes with broken peers and collaborates with healthy ones.
+# Manual entries in dispatch-override.conf above the auto-managed marker
+# always take precedence.
+setup_peer_productivity_monitor() {
+	local ppm_script="$HOME/.aidevops/agents/scripts/peer-productivity-monitor.sh"
+	local ppm_label="sh.aidevops.peer-productivity-monitor"
+	if ! [[ -x "$ppm_script" ]]; then
+		return 0
+	fi
+
+	# Reuse contribution-watch's log-dir resolver (same logic, same config key).
+	local _ppm_log_dir
+	_ppm_log_dir=$(_resolve_cw_log_dir) || return 1
+	mkdir -p "$_ppm_log_dir"
+
+	# Install/update scheduled runner
+	if [[ "$(uname -s)" == "Darwin" ]]; then
+		_install_peer_productivity_monitor_launchd "$ppm_label" "$ppm_script" "$_ppm_log_dir"
+	else
+		_install_peer_productivity_monitor_linux "$ppm_script" "$_ppm_log_dir"
+	fi
+	return 0
+}

package/setup-modules/tool-install.sh

@@ -390,12 +390,14 @@ setup_shell_linting_tools() {
 
 setup_setsid_advisory() {
 	# setsid is required to detach pulse workers into their own process group
-	# (t2757, GH#20561). Without it, workers inherit pulse's PGID and are
-	# killed by any PG-scoped signal (launchd unload, restart chain).
+	# (t2757, GH#20561, GH#21102). Without it, workers inherit pulse's PGID and
+	# are killed by any PG-scoped signal (launchd unload, restart chain).
 	#
 	# Linux: setsid ships with util-linux (present on all mainstream distros).
-	# macOS: available from macOS 12+ at /usr/bin/setsid. Older versions need
-	#        util-linux via Homebrew (brew install util-linux).
+	# macOS: available from macOS 12+ at /usr/bin/setsid. Older macOS or systems
+	#        where /usr/bin/setsid is absent need util-linux via Homebrew.
+	#        util-linux is keg-only on Homebrew — binary is not linked into PATH
+	#        automatically, so we create a symlink after install.
 	if command -v setsid >/dev/null 2>&1; then
 		local setsid_path
 		setsid_path="$(command -v setsid)"
@@ -403,23 +405,51 @@ setup_setsid_advisory() {
 		return 0
 	fi
 
-	# setsid missing — emit an advisory; it's a quality-of-life improvement,
-	# not a hard requirement (pulse falls back to nohup-only).
-	print_warning "setsid not found — pulse workers will share the pulse process group"
-	echo "  Impact: a pulse restart or launchd unload may kill in-flight workers"
-	echo "  (GH#20561 / t2757: worker survived 3/4 dispatches without setsid isolation)"
-	echo ""
+	# setsid missing — on macOS with Homebrew, auto-install util-linux and
+	# symlink setsid into PATH (GH#21102 / t2926). On Linux and macOS without
+	# Homebrew, emit an actionable error with install instructions.
 	if [[ "$(uname)" == "Darwin" ]]; then
 		if command -v brew >/dev/null 2>&1; then
-			echo "  Install: brew install util-linux"
+			print_info "setsid not found — installing util-linux for worker PGID isolation (GH#21102)"
+			if brew install util-linux 2>&1 | tail -3; then
+				# util-linux is keg-only: binary lives under the keg, not in /opt/homebrew/bin.
+				# Symlink setsid into a standard PATH directory so 'command -v setsid' works.
+				local brew_prefix
+				brew_prefix="$(brew --prefix 2>/dev/null || echo "")"
+				local keg_setsid="${brew_prefix}/opt/util-linux/bin/setsid"
+				local link_target="${brew_prefix}/bin/setsid"
+				if [[ -x "$keg_setsid" && ! -e "$link_target" ]]; then
+					ln -s "$keg_setsid" "$link_target" && \
+						print_success "Symlinked setsid: $keg_setsid → $link_target"
+				fi
+				# Verify setsid is now reachable
+				if command -v setsid >/dev/null 2>&1; then
+					print_success "setsid installed at $(command -v setsid) (worker PGID isolation enabled)"
+				else
+					print_error "util-linux installed but setsid still not in PATH — check brew --prefix"
+				fi
+			else
+				print_error "brew install util-linux failed — workers will share pulse PGID until resolved"
+				echo "  Manual fix: brew install util-linux"
+			fi
 		else
-			echo "  Install Homebrew first, then: brew install util-linux"
+			print_error "setsid not found — worker isolation broken; install util-linux"
+			echo "  Impact: every pulse restart sends SIGHUP to workers in its PGID,"
+			echo "          killing in-flight workers before they can finish (GH#21102)"
+			echo "  Fix:    install Homebrew, then run: brew install util-linux"
 			echo "  Or upgrade to macOS 12+ where /usr/bin/setsid ships by default"
 		fi
 	else
-		echo "  Install: sudo apt install util-linux  # Debian/Ubuntu"
-		echo "           sudo dnf install util-linux  # Fedora/RHEL"
-		echo "           sudo pacman -S util-linux    # Arch"
+		# Linux: setsid should be present on all mainstream distros via util-linux.
+		# If it is missing, emit an error rather than a warning — workers will be
+		# killed on every pulse cycle restart without it.
+		print_error "setsid not found — worker isolation broken; install util-linux"
+		echo "  Impact: every pulse restart sends SIGHUP to workers in its PGID,"
+		echo "          killing in-flight workers before they can finish (GH#21102)"
+		echo "  Fix:    sudo apt install util-linux     # Debian/Ubuntu"
+		echo "          sudo dnf install util-linux     # Fedora/RHEL"
+		echo "          sudo pacman -S util-linux       # Arch"
+		echo "          sudo apk add util-linux         # Alpine"
 	fi
 	echo ""
 

package/setup.sh

@@ -12,7 +12,7 @@ shopt -s inherit_errexit 2>/dev/null || true
 # AI Assistant Server Access Framework Setup Script
 # Helps developers set up the framework for their infrastructure
 #
-# Version: 3.11.17
+# Version: 3.13.0
 #
 # Quick Install:
 #   npm install -g aidevops && aidevops update          (recommended)
@@ -243,7 +243,16 @@ _launchd_install_if_changed() {
 
 	# Atomic write: build at sibling tmp path, then rename into place.
 	# If printf is killed mid-write, the destination is untouched.
-	local tmp_plist="${plist_path}.tmp.$$"
+	# mktemp avoids predictable tmp names (defense-in-depth against symlink attacks).
+	local tmp_plist
+	tmp_plist=$(mktemp "${plist_path}.XXXXXX") || return 1
+	# Guard: refuse to write empty content — catching this before the write avoids
+	# creating a tmp file that the file-size check would also catch, but the
+	# content check is more direct and gives a clearer failure point.
+	if [[ -z "$new_content" ]]; then
+		rm -f "$tmp_plist"
+		return 1
+	fi
 	if ! printf '%s\n' "$new_content" >"$tmp_plist"; then
 		rm -f "$tmp_plist"
 		return 1
@@ -254,7 +263,10 @@ _launchd_install_if_changed() {
 		rm -f "$tmp_plist"
 		return 1
 	fi
-	mv -f "$tmp_plist" "$plist_path"
+	if ! mv -f "$tmp_plist" "$plist_path"; then
+		rm -f "$tmp_plist"
+		return 1
+	fi
 	launchctl load "$plist_path" 2>/dev/null || return 1
 	return 0
 }
@@ -959,6 +971,62 @@ _deploy_hotfix_config() {
 	return 0
 }
 
+# t2919: Early pulse plist install. The pulse launchd agent is critical
+# infrastructure — without it, every other pulse-driven feature (worker
+# dispatch, issue routing, cross-repo coordination) is dead. Previously,
+# setup_supervisor_pulse only ran inside _setup_post_setup_steps which
+# executes AFTER ~25 other migration/setup steps. When `aidevops update`
+# runs unattended and any earlier step times out (e.g. brew taps, MCP
+# installs, slow repo scans), the pulse plist never gets installed/refreshed
+# and the runner falls behind.
+#
+# Install immediately after deploy_aidevops_agents (so the scripts the plist
+# references already exist on disk). The late install in _setup_post_setup_steps
+# remains as the canonical regenerate-on-change path — _launchd_install_if_changed
+# compares content and skips reload when identical, so the second call is a
+# no-op when nothing changed. Failure here is non-fatal: the late path retries.
+_setup_install_pulse_plist_early() {
+	local _early_os
+	_early_os="$(uname -s)"
+	if _should_setup_noninteractive_supervisor_pulse; then
+		setup_supervisor_pulse "$_early_os" || print_warning "Early pulse plist install failed (will retry late)"
+	fi
+	return 0
+}
+
+# Provision knowledge planes for all repos in repos.json where knowledge != "off".
+# Idempotent: already-provisioned directories are not modified.
+# Called from the non-interactive setup path (update) and after interactive init.
+setup_knowledge_planes() {
+	local repos_file="$HOME/.config/aidevops/repos.json"
+	local helper
+	helper="${BASH_SOURCE[0]%/*}/.agents/scripts/knowledge-helper.sh"
+	if [[ ! -f "$helper" ]]; then
+		helper="$HOME/.aidevops/agents/scripts/knowledge-helper.sh"
+	fi
+	if [[ ! -f "$helper" ]]; then
+		print_warning "knowledge-helper.sh not found — skipping knowledge plane provisioning"
+		return 0
+	fi
+	if [[ ! -f "$repos_file" ]]; then
+		return 0
+	fi
+	if ! command -v jq &>/dev/null; then
+		print_warning "jq not installed — skipping knowledge plane provisioning"
+		return 0
+	fi
+	local repo_path mode
+	while IFS=$'\t' read -r repo_path mode; do
+		[[ -z "$repo_path" || "$mode" == "off" ]] && continue
+		if [[ ! -d "$repo_path" ]]; then
+			print_warning "knowledge-plane: repo path not found: $repo_path"
+			continue
+		fi
+		bash "$helper" provision "$repo_path" || print_warning "knowledge-plane: provision failed for $repo_path"
+	done < <(jq -r '.initialized_repos[] | select(.knowledge != null and .knowledge != "off") | [.path, .knowledge] | @tsv' "$repos_file" 2>/dev/null || true)
+	return 0
+}
+
 # Non-interactive path: deploy agents and run safe migrations only (no prompts).
 _setup_run_non_interactive() {
 	print_info "Non-interactive mode: deploying agents and running safe migrations only"
@@ -966,6 +1034,9 @@ _setup_run_non_interactive() {
 	check_requirements
 	# Run quality tool detection in non-interactive mode too (warn-only path).
 	check_quality_tools
+	# Check setsid availability; auto-install util-linux on macOS if missing
+	# (GH#21102 / t2926: missing setsid kills workers on every pulse restart).
+	setup_setsid_advisory
 	check_python_upgrade_available
 	set_permissions
 	migrate_old_backups
@@ -990,6 +1061,7 @@ _setup_run_non_interactive() {
 	setup_opencode_cli
 	validate_opencode_config
 	deploy_aidevops_agents
+	_setup_install_pulse_plist_early
 	_deploy_hotfix_config
 	sync_agent_sources
 	install_aidevops_cli
@@ -1052,6 +1124,8 @@ _setup_run_non_interactive() {
 	# copies doesn't burn CPU (t2885). Idempotent. macOS only — Linux
 	# indexers tracked separately.
 	setup_worktree_exclusions
+	# Provision knowledge planes for repos where knowledge != "off" (idempotent).
+	setup_knowledge_planes
 	return 0
 }
 
@@ -1172,6 +1246,12 @@ _setup_noninteractive_schedulers() {
 	if _should_setup_noninteractive_supervisor_pulse; then
 		setup_supervisor_pulse "$os"
 	fi
+	# t2939: pulse-watchdog (independent revival mechanism). Always installed
+	# alongside the pulse — it is a no-op when pulse is disabled. Skipping the
+	# `_should_setup_noninteractive_*` guard intentionally: this is layered
+	# defense, the cost of installing it is one plist file, and the user opts
+	# in by enabling the pulse itself.
+	setup_pulse_watchdog "${PULSE_ENABLED:-}"
 	# Regenerate other schedulers if already installed (GH#17695 Finding B).
 	# Stats wrapper is a pulse dependency — also install on first run when
 	# the supervisor pulse is consented (t2418, GH#20016).
@@ -1197,6 +1277,15 @@ _setup_noninteractive_schedulers() {
 	if _should_setup_noninteractive_scheduler "Complexity scan" "sh.aidevops.complexity-scan" "aidevops: complexity-scan" "aidevops-complexity-scan"; then
 		setup_complexity_scan
 	fi
+	# t2862 (GH#20919): pulse merge routine — fast 120s standalone merge pass
+	if _should_setup_noninteractive_scheduler "Pulse merge routine" "sh.aidevops.pulse-merge-routine" "aidevops: pulse-merge-routine" "aidevops-pulse-merge-routine"; then
+		setup_pulse_merge_routine
+	fi
+	# t2932 (GH#21125): peer productivity monitor — adaptive cross-runner
+	# dispatch coordination, runs every 30 min.
+	if _should_setup_noninteractive_scheduler "Peer productivity monitor" "sh.aidevops.peer-productivity-monitor" "aidevops: peer-productivity-monitor" "aidevops-peer-productivity-monitor"; then
+		setup_peer_productivity_monitor
+	fi
 	# Repo sync handles non-interactive mode internally (systemd detection fixed in GH#17861)
 	setup_repo_sync
 	# r914 repo-aidevops-health — daily drift keeper (t2366)
@@ -1248,6 +1337,8 @@ _setup_post_setup_steps() {
 	# Post-setup: auto-update, schedulers, final instructions (GH#5793)
 	setup_auto_update
 	setup_supervisor_pulse "$os"
+	# t2939: pulse-watchdog — independent revival mechanism, layered defense.
+	setup_pulse_watchdog "${PULSE_ENABLED:-}"
 	setup_stats_wrapper "${PULSE_ENABLED:-}"
 	setup_failure_miner "${PULSE_ENABLED:-}"
 	setup_repo_sync
@@ -1258,6 +1349,7 @@ _setup_post_setup_steps() {
 	setup_screen_time_snapshot
 	setup_contribution_watch
 	setup_complexity_scan
+	setup_pulse_merge_routine
 	setup_draft_responses
 	setup_profile_readme
 	setup_oauth_token_refresh