aidevops 3.13.10 → 3.13.11

package/VERSION

@@ -1 +1 @@
-3.13.10
+3.13.11

package/aidevops.sh

@@ -5,7 +5,7 @@
 # AI DevOps Framework CLI
 # Usage: aidevops <command> [options]
 #
-# Version: 3.13.10
+# Version: 3.13.11
 
 set -euo pipefail
 
@@ -521,6 +521,90 @@ _update_check_setsid() {
 	return 0
 }
 
+# GH#21735: Notify operator when framework workflow templates change.
+# When .agents/templates/workflows/*.yml or *-reusable.yml workflows change
+# in a framework update, downstream repos that use these as workflow_call
+# callers may have drifted from the new template. Detection and remediation
+# both already exist (`aidevops check-workflows`, `aidevops sync-workflows
+# --apply`); the gap was the notification surface — operators only learned
+# of drift when downstream CI failed (canonical incident: a managed
+# downstream repo's issue-sync.yml failed silently after the upstream
+# template added a new input).
+#
+# This check inspects the SHA-window diff for changes to workflow caller
+# templates and reusable workflows, prints a warning, and emits a daily
+# advisory so the next session greeting surfaces it if the operator
+# misses the inline output.
+#
+# Args: $1=old_sha, $2=new_sha
+# Returns: 0 (always — informational only, never breaks update)
+_update_check_workflow_drift() {
+	local old_sha="$1"
+	local new_sha="$2"
+	[[ -z "$old_sha" || -z "$new_sha" || "$old_sha" == "$new_sha" ]] && return 0
+	# `.git` is a directory in a regular repo and a file in a worktree;
+	# `-e` covers both so the helper is testable from a worktree.
+	[[ ! -e "$INSTALL_DIR/.git" ]] && return 0
+
+	# Files that propagate to downstream caller workflows OR are themselves
+	# reusable workflow definitions referenced by downstream callers.
+	# Internal .github/workflows/*.yml hotfixes (e.g. self-test runs) are
+	# intentionally skipped to avoid false-positive nags.
+	local relevant_files
+	relevant_files=$(git -C "$INSTALL_DIR" diff --name-only "$old_sha" "$new_sha" -- \
+		'.agents/templates/workflows/' \
+		'.github/workflows/' \
+		2>/dev/null \
+		| grep -E '(\.agents/templates/workflows/.*\.ya?ml$|\.github/workflows/.*-reusable\.ya?ml$)' \
+		|| true)
+	[[ -z "$relevant_files" ]] && return 0
+
+	local file_count
+	file_count=$(printf '%s\n' "$relevant_files" | wc -l | tr -d ' ')
+	echo ""
+	print_warning "Workflow templates updated ($file_count file(s)) — downstream callers may have drifted."
+	print_info "  Detect drift: aidevops check-workflows"
+	print_info "  Apply fix:    aidevops sync-workflows --apply [--repo OWNER/REPO]"
+
+	# Persist as advisory so the next session greeting surfaces it even if
+	# the operator misses the inline warning. Day-stamped ID makes repeated
+	# updates within the same day idempotent (one advisory per day);
+	# 'aidevops security dismiss <id>' silences a specific day's advisory.
+	_update_emit_workflow_drift_advisory "$relevant_files" || true
+	return 0
+}
+
+# Companion to _update_check_workflow_drift — separated for testability.
+# Args: $1=relevant_files (newline-separated)
+# Returns: 0 (always — fail-open; advisory write must never break update)
+_update_emit_workflow_drift_advisory() {
+	local relevant_files="$1"
+	local advisories_dir="${HOME}/.aidevops/advisories"
+	local adv_id
+	adv_id="workflow-drift-$(date +%Y%m%d)"
+	local dismissed_file="$advisories_dir/dismissed.txt"
+
+	# Skip if today's advisory was already dismissed.
+	if [[ -f "$dismissed_file" ]] && grep -qxF "$adv_id" "$dismissed_file" 2>/dev/null; then
+		return 0
+	fi
+
+	mkdir -p "$advisories_dir" 2>/dev/null || return 0
+	local adv_file="$advisories_dir/${adv_id}.advisory"
+
+	{
+		printf 'Workflow templates changed — downstream caller workflows may have drifted.\n'
+		printf '\n'
+		printf 'Files changed in this update:\n'
+		printf '%s\n' "$relevant_files" | sed 's|^|  |'
+		printf '\n'
+		printf 'Detect drift: aidevops check-workflows\n'
+		printf 'Apply fix:    aidevops sync-workflows --apply [--repo OWNER/REPO]\n'
+		printf 'Background:   reference/reusable-workflows.md\n'
+	} >"$adv_file" 2>/dev/null || return 0
+	return 0
+}
+
 # Verify supply chain signature after pulling framework updates.
 # Checks that the HEAD commit is signed by the trusted maintainer key.
 # Non-blocking: warns on failure, does not abort the update.
@@ -687,6 +771,11 @@ cmd_update() {
 							print_info "Re-running setup to deploy latest scripts..."
 							bash "$INSTALL_DIR/setup.sh" --non-interactive
 						fi
+						# GH#21735: workflow templates can change between
+						# releases without triggering has_code_drift (templates
+						# live outside the deploy-affecting paths). Check the
+						# template subset separately and surface drift.
+						_update_check_workflow_drift "$deployed_sha" "$local_hash"
 					fi
 				fi
 			fi
@@ -717,6 +806,9 @@ cmd_update() {
 					git log --oneline "$old_hash..$new_hash" | grep -E '^[a-f0-9]+ (feat|fix|refactor|perf|docs):' | head -20
 					[[ "$total_commits" -gt 20 ]] && echo "  ... and more (run 'git log --oneline' in $INSTALL_DIR for full list)"
 				fi
+				# GH#21735: surface workflow template drift so the
+				# operator can resync downstream callers before CI bites.
+				_update_check_workflow_drift "$old_hash" "$new_hash"
 			fi
 			echo ""
 			# Verify supply chain integrity before applying changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "aidevops",
-  "version": "3.13.10",
+  "version": "3.13.11",
   "description": "AI DevOps Framework - AI-assisted development workflows, code quality, and deployment automation",
   "type": "module",
   "bin": {

package/setup-modules/schedulers-platform.sh

@@ -47,27 +47,22 @@ fi
 # --- Functions ---
 
 # Resolve and validate the log directory from config for contribution watch.
-# Reads paths.log_dir from jsonc config, validates characters, expands tilde.
+# Delegates resolution to _resolve_log_dir (shared-constants.sh), then applies
+# install-time character validation (safe for shell paths and cron lines).
 # Prints the resolved absolute path. Returns 1 on invalid characters.
 _resolve_cw_log_dir() {
 	local _cw_log_dir
-	# shellcheck disable=SC2088  # Tilde is intentionally literal here; expanded below via ${/#\~/$HOME}
-	if type _jsonc_get &>/dev/null; then
-		_cw_log_dir=$(_jsonc_get "paths.log_dir" "~/.aidevops/logs")
-	else
-		_cw_log_dir="~/.aidevops/logs"
-	fi
+	_cw_log_dir=$(_resolve_log_dir)
 	# Whitelist: only allow characters safe in shell paths and cron lines.
-	# Reject anything outside [A-Za-z0-9_./ ~-] (tilde allowed before expansion).
+	# Reject anything outside [A-Za-z0-9_./ -] (tilde already expanded by _resolve_log_dir).
 	# Store regex in variable — bash [[ =~ ]] requires unquoted RHS for regex,
 	# and a variable avoids quoting issues with special chars in the pattern.
-	local _cw_log_dir_re='^[A-Za-z0-9_./ ~-]+$'
+	local _cw_log_dir_re='^[A-Za-z0-9_./ -]+$'
 	if ! [[ "$_cw_log_dir" =~ $_cw_log_dir_re ]]; then
 		# Redirect to stderr so $() captures only the path result
-		print_error "Invalid characters in paths.log_dir (only [A-Za-z0-9_./ ~-] allowed): $_cw_log_dir" >&2
+		print_error "Invalid characters in paths.log_dir (only [A-Za-z0-9_./ -] allowed): $_cw_log_dir" >&2
 		return 1
 	fi
-	_cw_log_dir="${_cw_log_dir/#\~/$HOME}"
 	printf '%s' "$_cw_log_dir"
 	return 0
 }
@@ -310,18 +305,35 @@ setup_complexity_scan() {
 	return 0
 }
 
-# Install pulse-merge-routine launchd plist (macOS).
-# Args: $1=label $2=script $3=log_dir
+# Install the dedicated merge-pass launchd plist (macOS).
+# Supersedes the t2862 sh.aidevops.pulse-merge-routine approach (t21247, GH#21247):
+#   - Label: com.aidevops.aidevops-supervisor-merge
+#   - Script: pulse-wrapper.sh --merge-only (full bootstrap + merge only)
+#   - Interval: 60s (down from 120s) — targets <=90s PR-green-to-merged latency
+#   - Log: pulse-merge.log (isolated from main pulse log)
+#
+# Args: $1=label $2=wrapper_script $3=log_dir
 _install_pulse_merge_routine_launchd() {
 	local pmr_label="$1"
 	local pmr_script="$2"
 	local _pmr_log_dir="$3"
 	local pmr_plist="$HOME/Library/LaunchAgents/${pmr_label}.plist"
 
-	local _xml_pmr_script _xml_pmr_home _xml_pmr_log_dir
+	# One-time migration: unload and remove the legacy sh.aidevops.pulse-merge-routine
+	# plist (installed by t2862) to avoid running two merge passes simultaneously.
+	local _legacy_pmr_label="sh.aidevops.pulse-merge-routine"
+	local _legacy_pmr_plist="$HOME/Library/LaunchAgents/${_legacy_pmr_label}.plist"
+	if [[ -f "$_legacy_pmr_plist" ]]; then
+		launchctl unload "$_legacy_pmr_plist" 2>/dev/null || true
+		rm -f "$_legacy_pmr_plist"
+		print_info "Removed legacy pulse-merge-routine plist (superseded by ${pmr_label})"
+	fi
+
+	local _xml_pmr_script _xml_pmr_home _xml_pmr_log_dir _xml_bash_bin
 	_xml_pmr_script=$(_xml_escape "$pmr_script")
 	_xml_pmr_home=$(_xml_escape "$HOME")
 	_xml_pmr_log_dir=$(_xml_escape "$_pmr_log_dir")
+	_xml_bash_bin=$(_xml_escape "$(_resolve_modern_bash)")
 
 	local pmr_plist_content
 	pmr_plist_content=$(
@@ -334,16 +346,16 @@ _install_pulse_merge_routine_launchd() {
 	<string>${pmr_label}</string>
 	<key>ProgramArguments</key>
 	<array>
-		<string>$(_xml_escape "$(_resolve_modern_bash)")</string>
+		<string>${_xml_bash_bin}</string>
 		<string>${_xml_pmr_script}</string>
-		<string>run</string>
+		<string>--merge-only</string>
 	</array>
 	<key>StartInterval</key>
-	<integer>120</integer>
+	<integer>60</integer>
 	<key>StandardOutPath</key>
-	<string>${_xml_pmr_log_dir}/pulse-merge-routine.log</string>
+	<string>${_xml_pmr_log_dir}/pulse-merge.log</string>
 	<key>StandardErrorPath</key>
-	<string>${_xml_pmr_log_dir}/pulse-merge-routine.log</string>
+	<string>${_xml_pmr_log_dir}/pulse-merge.log</string>
 	<key>EnvironmentVariables</key>
 	<dict>
 		<key>PATH</key>
@@ -352,8 +364,6 @@ _install_pulse_merge_routine_launchd() {
 		<string>${_xml_pmr_home}</string>
 	</dict>
 	<key>RunAtLoad</key>
-	<true/>
-	<key>KeepAlive</key>
 	<false/>
 	<key>ProcessType</key>
 	<string>Background</string>
@@ -361,50 +371,77 @@ _install_pulse_merge_routine_launchd() {
 	<true/>
 	<key>Nice</key>
 	<integer>10</integer>
+	<key>SoftResourceLimits</key>
+	<dict>
+		<key>NumberOfFiles</key>
+		<integer>4096</integer>
+	</dict>
 </dict>
 </plist>
 PMR_PLIST
 	)
 
 	if _launchd_install_if_changed "$pmr_label" "$pmr_plist" "$pmr_plist_content"; then
-		print_info "Pulse merge routine enabled (launchd, every 2 min)"
+		print_info "Pulse merge pass enabled (launchd, every 60s via --merge-only)"
 	else
-		print_warning "Failed to load pulse merge routine LaunchAgent"
+		print_warning "Failed to load pulse merge pass LaunchAgent"
 	fi
 	return 0
 }
 
-# Install pulse-merge-routine via systemd or cron (Linux).
-# Args: $1=script path, $2=log dir
+# Install the dedicated merge-pass scheduler via systemd or cron (Linux).
+# Supersedes the t2862 aidevops-pulse-merge-routine approach (t21247, GH#21247):
+#   - Command: pulse-wrapper.sh --merge-only
+#   - Interval: every 60s (cron * * * * *, systemd OnUnitActiveSec=60)
+#   - Log: pulse-merge.log
+# Args: $1=wrapper_script $2=log_dir
 _install_pulse_merge_routine_linux() {
 	local pmr_script="$1"
 	local _pmr_log_dir="$2"
-	local pmr_systemd="aidevops-pulse-merge-routine"
+	local pmr_systemd="aidevops-pulse-merge"
+
+	# One-time migration: remove legacy systemd/cron entry for aidevops-pulse-merge-routine.
+	if _systemd_user_available 2>/dev/null; then
+		systemctl --user disable --now "aidevops-pulse-merge-routine.timer" 2>/dev/null || true
+		rm -f "$HOME/.config/systemd/user/aidevops-pulse-merge-routine.service" 2>/dev/null || true
+		rm -f "$HOME/.config/systemd/user/aidevops-pulse-merge-routine.timer" 2>/dev/null || true
+		systemctl --user daemon-reload 2>/dev/null || true
+	fi
+	if crontab -l 2>/dev/null | grep -qF "pulse-merge-routine"; then
+		crontab -l 2>/dev/null | grep -v 'aidevops: pulse-merge-routine' | crontab - 2>/dev/null || true
+	fi
+
 	_install_scheduler_linux \
 		"$pmr_systemd" \
-		"aidevops: pulse-merge-routine" \
-		"*/2 * * * *" \
-		"\"${pmr_script}\" run" \
-		"120" \
-		"${_pmr_log_dir}/pulse-merge-routine.log" \
+		"aidevops: pulse-merge (--merge-only)" \
+		"* * * * *" \
+		"\"${pmr_script}\" --merge-only" \
+		"60" \
+		"${_pmr_log_dir}/pulse-merge.log" \
 		"" \
-		"Pulse merge routine enabled (every 2 min)" \
-		"Failed to install pulse merge routine scheduler" \
+		"Pulse merge pass enabled (every 60s via --merge-only)" \
+		"Failed to install pulse merge pass scheduler" \
 		"true" \
 		"true"
 	return 0
 }
 
-# Setup pulse merge routine (t2862, GH#20919) — runs merge_ready_prs_all_repos()
-# as a fast 120s standalone routine, decoupled from the monolithic pulse cycle.
-# The pulse cycle's preflight stack (60-470s) meant the merge pass ran only ~7
-# times/24h despite ~40+ cycles. This routine ensures green PRs merge within ~3
-# min of CI completion. The in-cycle merge call in pulse-wrapper.sh is kept as
-# defense-in-depth but short-circuits when this routine ran within the last 60s.
+# Setup the dedicated merge-pass scheduler (t21247, GH#21247).
+#
+# Supersedes t2862/GH#20919 (pulse-merge-routine.sh, 120s interval). The new
+# approach runs pulse-wrapper.sh --merge-only every 60s so green PRs merge
+# within <=90s of CI completion regardless of dispatch-cycle length (~23 min
+# average). The full pulse bootstrap ensures all PULSE_* config and repo state
+# are available; the separate lockdir (pulse-merge-instance.lock) prevents
+# overlap with the main dispatch cycle lock.
+#
+# Requires: pulse-wrapper.sh must be installed and executable.
+# The in-cycle merge pass in pulse-wrapper.sh is kept as defense-in-depth —
+# it short-circuits when a merge pass ran within the last 60s.
 setup_pulse_merge_routine() {
-	local pmr_script="$HOME/.aidevops/agents/scripts/pulse-merge-routine.sh"
-	local pmr_label="sh.aidevops.pulse-merge-routine"
-	if ! [[ -x "$pmr_script" ]]; then
+	local pmr_wrapper="$HOME/.aidevops/agents/scripts/pulse-wrapper.sh"
+	local pmr_label="com.aidevops.aidevops-supervisor-merge"
+	if ! [[ -x "$pmr_wrapper" ]]; then
 		return 0
 	fi
 
@@ -415,9 +452,9 @@ setup_pulse_merge_routine() {
 
 	# Install/update scheduled runner
 	if [[ "$(uname -s)" == "Darwin" ]]; then
-		_install_pulse_merge_routine_launchd "$pmr_label" "$pmr_script" "$_pmr_log_dir"
+		_install_pulse_merge_routine_launchd "$pmr_label" "$pmr_wrapper" "$_pmr_log_dir"
 	else
-		_install_pulse_merge_routine_linux "$pmr_script" "$_pmr_log_dir"
+		_install_pulse_merge_routine_linux "$pmr_wrapper" "$_pmr_log_dir"
 	fi
 	return 0
 }

package/setup.sh

@@ -12,7 +12,7 @@ shopt -s inherit_errexit 2>/dev/null || true
 # AI Assistant Server Access Framework Setup Script
 # Helps developers set up the framework for their infrastructure
 #
-# Version: 3.13.10
+# Version: 3.13.11
 #
 # Quick Install:
 #   npm install -g aidevops && aidevops update          (recommended)