fix(groundskeeper): prevent duplicate wellness issues, fix auto-update env vars, standardize API keys

Three fixes for groundskeeper operational issues:

1. Health-check duplicate issue creation: Stagger wellness workflow cron
   schedules (+5min, +10min), use stable issue title without timestamp,
   add title-based fallback search and post-creation dedup guard.

2. Auto-update missing env vars: Pass LONGTERMWIKI_SERVER_URL and scoped
   API keys to the CI pipeline step (was only in "Build data layer" step).
   Also switch paranoid review to use parseJsonFromLlm for better JSON
   recovery from truncated LLM responses.

3. API key consistency: Migrate session-sweep and groundskeeper wiki-server
   client from WIKI_SERVER_API_KEY to LONGTERMWIKI_PROJECT_KEY with
   LONGTERMWIKI_SERVER_API_KEY fallback, matching snapshot-retention pattern.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: OAGr

.claude/audits.yaml

@@ -165,6 +165,14 @@ post_merge:
     checked_date: "2026-03-05"
     notes: "Verified: all audits subcommands work (list, report, run-auto, check). YAML schema valid. 7 audits + 2 post-merge items tracked correctly. run-auto executes hybrid check_commands."
 
+  - id: groundskeeper-fixes-post-merge
+    pr: 1813
+    merged: "2026-03-06"
+    claim: "Staggered wellness cron schedules prevent duplicate issue creation; auto-update env vars enable session log writing; groundskeeper API key migration works"
+    how_to_verify: "After next 8AM/PM UTC wellness run, check that only 1 wellness issue is created (not duplicates). Check next auto-update run for no LONGTERMWIKI_SERVER_URL warnings. Check groundskeeper logs for no API key errors."
+    status: pending
+    deadline: "2026-03-20"
+
   - id: reviewdog-ci-annotations
     pr: 1787
     merged: "2026-03-05"

.github/workflows/auto-update.yml

@@ -103,6 +103,10 @@ jobs:
           FIRECRAWL_KEY: ${{ secrets.FIRECRAWL_KEY }}
           EXA_API_KEY: ${{ secrets.EXA_API_KEY }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          LONGTERMWIKI_SERVER_URL: ${{ secrets.LONGTERMWIKI_SERVER_URL }}
+          LONGTERMWIKI_SERVER_API_KEY: ${{ secrets.LONGTERMWIKI_SERVER_API_KEY }}
+          LONGTERMWIKI_PROJECT_KEY: ${{ secrets.LONGTERMWIKI_PROJECT_KEY }}
+          LONGTERMWIKI_CONTENT_KEY: ${{ secrets.LONGTERMWIKI_CONTENT_KEY }}
         run: |
           ARGS="--budget=${{ inputs.budget || '30' }} --count=${{ inputs.count || '3' }} --verbose"
 

.github/workflows/ci-pr-health.yml

@@ -14,8 +14,8 @@ run-name: "CI & PR Health${{ vars.AUTOMATION_PAUSED == 'true' && ' [PAUSED]' ||
 
 on:
   schedule:
-    - cron: "0 8 * * *" # 8 AM UTC daily
-    - cron: "0 20 * * *" # 8 PM UTC daily
+    - cron: "10 8 * * *" # 8:10 AM UTC daily (staggered +10min from server-api-health to avoid duplicate issue creation)
+    - cron: "10 20 * * *" # 8:10 PM UTC daily
   workflow_dispatch:
 
 concurrency:

.github/workflows/frontend-data-health.yml

@@ -11,8 +11,8 @@ name: Frontend & Data Health
 
 on:
   schedule:
-    - cron: "0 8 * * *" # 8 AM UTC daily
-    - cron: "0 20 * * *" # 8 PM UTC daily
+    - cron: "5 8 * * *" # 8:05 AM UTC daily (staggered +5min from server-api-health to avoid duplicate issue creation)
+    - cron: "5 20 * * *" # 8:05 PM UTC daily
   workflow_dispatch:
 
 concurrency:

apps/groundskeeper/src/tasks/session-sweep.test.ts

@@ -62,12 +62,13 @@ describe("sessionSweep", () => {
 
   beforeEach(() => {
     config = makeConfig();
-    process.env["WIKI_SERVER_API_KEY"] = "test-key";
+    process.env["LONGTERMWIKI_PROJECT_KEY"] = "test-key";
   });
 
   afterEach(() => {
     vi.restoreAllMocks();
-    delete process.env["WIKI_SERVER_API_KEY"];
+    delete process.env["LONGTERMWIKI_PROJECT_KEY"];
+    delete process.env["LONGTERMWIKI_SERVER_API_KEY"];
   });
 
   it("returns success with no stale sessions message when swept=0", async () => {
@@ -101,15 +102,36 @@ describe("sessionSweep", () => {
     expect((calls[0][1] as RequestInit).method).toBe("POST");
   });
 
-  it("returns failure when API key is not set", async () => {
-    delete process.env["WIKI_SERVER_API_KEY"];
+  it("returns failure when no API key is set", async () => {
+    delete process.env["LONGTERMWIKI_PROJECT_KEY"];
+    delete process.env["LONGTERMWIKI_SERVER_API_KEY"];
 
     const result = await sessionSweep(config);
 
     expect(result.success).toBe(false);
     expect(result.summary).toContain("failed");
   });
 
+  it("uses LONGTERMWIKI_SERVER_API_KEY as fallback when project key is absent", async () => {
+    delete process.env["LONGTERMWIKI_PROJECT_KEY"];
+    process.env["LONGTERMWIKI_SERVER_API_KEY"] = "legacy-superkey";
+
+    vi.stubGlobal(
+      "fetch",
+      vi.fn().mockResolvedValue({
+        ok: true,
+        json: async () => ({ swept: 0, sessions: [] }),
+      })
+    );
+
+    const result = await sessionSweep(config);
+
+    expect(result.success).toBe(true);
+    const calls = vi.mocked(fetch).mock.calls;
+    const headers = (calls[0][1] as RequestInit).headers as Record<string, string>;
+    expect(headers.Authorization).toBe("Bearer legacy-superkey");
+  });
+
   it("returns failure when sweep endpoint fails", async () => {
     vi.stubGlobal(
       "fetch",

apps/groundskeeper/src/tasks/session-sweep.ts

@@ -27,10 +27,16 @@ async function callSweepEndpoint(
   timeoutHours: number,
 ): Promise<SweepResponse | null> {
   const url = `${config.wikiServerUrl}/api/agent-sessions/sweep`;
-  const apiKey = process.env["WIKI_SERVER_API_KEY"];
+  // Use project-scoped key (preferred) or legacy superkey (fallback).
+  // The /api/agent-sessions/* routes require `project` scope.
+  const apiKey =
+    process.env["LONGTERMWIKI_PROJECT_KEY"] ??
+    process.env["LONGTERMWIKI_SERVER_API_KEY"];
 
   if (!apiKey) {
-    logger.warn("WIKI_SERVER_API_KEY not set, skipping sweep");
+    logger.warn(
+      "Neither LONGTERMWIKI_PROJECT_KEY nor LONGTERMWIKI_SERVER_API_KEY is set — skipping sweep",
+    );
     return null;
   }
 

apps/groundskeeper/src/wiki-server.ts

@@ -23,10 +23,15 @@ async function apiRequest<T>(
   body?: unknown,
 ): Promise<ApiResult<T>> {
   const url = `${config.wikiServerUrl}${path}`;
-  const apiKey = process.env["WIKI_SERVER_API_KEY"];
+  // Use project-scoped key (preferred) or legacy superkey (fallback).
+  // Do NOT use WIKI_SERVER_API_KEY — that name is ambiguous and may refer
+  // to a different key scope. See snapshot-retention.ts for the same pattern.
+  const apiKey =
+    process.env["LONGTERMWIKI_PROJECT_KEY"] ??
+    process.env["LONGTERMWIKI_SERVER_API_KEY"];
 
   if (!apiKey) {
-    return { ok: false, error: "WIKI_SERVER_API_KEY not set" };
+    return { ok: false, error: "Neither LONGTERMWIKI_PROJECT_KEY nor LONGTERMWIKI_SERVER_API_KEY is set" };
   }
 
   try {

crux/auto-update/ci-orchestrate.ts

@@ -32,6 +32,7 @@ import {
 import { computeRiskScores } from './ci-risk-scores.ts';
 import { runContentChecks } from './ci-content-checks.ts';
 import { buildPrBody } from './ci-pr-body.ts';
+import { parseJsonFromLlm } from '../lib/json-parsing.ts';
 
 // ── Types ────────────────────────────────────────────────────────────────────
 
@@ -255,27 +256,18 @@ async function runParanoidReview(verbose: boolean): Promise<{ alerts: ReviewAler
       continue;
     }
 
-    // Extract JSON line (guards against pnpm/dotenv preamble)
-    const jsonLine = resultRaw
-      .split('\n')
-      .filter(line => line.trim().startsWith('{'))
-      .pop();
-
-    if (!jsonLine) {
-      console.warn(`::warning::${pageId} -- review produced no JSON output`);
-      continue;
-    }
-
-    let result: {
+    // Parse JSON from LLM output (handles code fences, preamble, truncation)
+    const result = parseJsonFromLlm<{
       needsReResearch?: boolean;
       gapCount?: number;
       overallAssessment?: string;
       error?: string;
-    };
-    try {
-      result = JSON.parse(jsonLine);
-    } catch {
-      console.warn(`::warning::${pageId} -- review JSON parse failed`);
+    }>(resultRaw, `paranoid-review:${pageId}`, () => {
+      console.warn(`::warning::${pageId} -- review JSON could not be parsed, skipping`);
+      return { error: 'unparseable' };
+    });
+
+    if (result.error === 'unparseable') {
       continue;
     }
 

crux/health/wellness-report.test.ts

@@ -10,7 +10,7 @@
 
 import { describe, it, expect } from 'vitest';
 import type { CheckResult } from './health-check.ts';
-import { buildWellnessReport } from './wellness-report.ts';
+import { buildWellnessReport, WELLNESS_ISSUE_TITLE } from './wellness-report.ts';
 
 function makeCheck(overrides: Partial<CheckResult> = {}): CheckResult {
   return {
@@ -139,3 +139,12 @@ describe('buildWellnessReport', () => {
     expect(report.markdownSummary).not.toContain('<details>');
   });
 });
+
+describe('WELLNESS_ISSUE_TITLE', () => {
+  it('is a stable string without a timestamp', () => {
+    // The title must be stable (no timestamp) so that concurrent workflow
+    // runs can find each other's issues and avoid duplicates.
+    expect(WELLNESS_ISSUE_TITLE).toBe('System wellness check failing');
+    expect(WELLNESS_ISSUE_TITLE).not.toMatch(/\d{4}-\d{2}-\d{2}/);
+  });
+});

crux/health/wellness-report.ts

@@ -113,6 +113,8 @@ export function buildWellnessReport(checks: CheckResult[]): WellnessReport {
 // GitHub issue management
 // ─────────────────────────────────────────────────────────────────────────────
 
+export const WELLNESS_ISSUE_TITLE = 'System wellness check failing';
+
 interface GitHubIssue {
   number: number;
   state: string;
@@ -123,22 +125,82 @@ interface GitHubIssue {
 /**
  * Find the existing open wellness issue (if any).
  * Returns the issue number, or null if none exists.
+ *
+ * Uses a two-stage search: first by label (fast, indexed), then by title
+ * prefix as fallback (catches cases where the label was manually removed).
  */
 async function findOpenWellnessIssue(): Promise<number | null> {
   try {
-    const issues = await githubApi<GitHubIssue[]>(
-      `/repos/${REPO}/issues?labels=wellness&state=open&per_page=1`,
+    // Primary: search by label
+    const byLabel = await githubApi<GitHubIssue[]>(
+      `/repos/${REPO}/issues?labels=wellness&state=open&per_page=5`,
     );
-    if (issues.length > 0) {
-      return issues[0].number;
+    if (byLabel.length > 0) {
+      return byLabel[0].number;
     }
+
+    // Fallback: search recent open issues by title prefix
+    const recent = await githubApi<GitHubIssue[]>(
+      `/repos/${REPO}/issues?state=open&per_page=30&sort=created&direction=desc`,
+    );
+    const match = recent.find((i) => i.title.startsWith(WELLNESS_ISSUE_TITLE));
+    if (match) {
+      return match.number;
+    }
+
     return null;
   } catch {
     // GitHub API failure — don't block the report
     return null;
   }
 }
 
+/**
+ * Close duplicate wellness issues that were created by concurrent workflow runs.
+ * Keeps the oldest (lowest number) and closes the rest as duplicates.
+ */
+async function deduplicateWellnessIssues(): Promise<void> {
+  try {
+    // Brief delay to let concurrent creates finish
+    await new Promise((r) => setTimeout(r, 2000));
+
+    const openIssues = await githubApi<GitHubIssue[]>(
+      `/repos/${REPO}/issues?labels=wellness&state=open&per_page=10`,
+    );
+
+    if (openIssues.length <= 1) return;
+
+    // Keep the oldest (lowest number), close the rest
+    const sorted = [...openIssues].sort((a, b) => a.number - b.number);
+    const keeper = sorted[0];
+
+    for (const issue of sorted.slice(1)) {
+      try {
+        await githubApi(`/repos/${REPO}/issues/${issue.number}/comments`, {
+          method: 'POST',
+          body: {
+            body: `Closing as duplicate of #${keeper.number} (created by concurrent wellness check workflow).`,
+          },
+        });
+        await githubApi(`/repos/${REPO}/issues/${issue.number}`, {
+          method: 'PATCH',
+          body: { state: 'closed' },
+        });
+        console.log(`Closed duplicate wellness issue #${issue.number} (keeping #${keeper.number})`);
+      } catch (err) {
+        console.warn(
+          `Failed to close duplicate #${issue.number}: ${err instanceof Error ? err.message : String(err)}`,
+        );
+      }
+    }
+  } catch (err) {
+    // Best-effort dedup — don't fail the workflow over this
+    console.warn(
+      `Dedup check failed: ${err instanceof Error ? err.message : String(err)}`,
+    );
+  }
+}
+
 /**
  * Ensure the "wellness" label exists on the repo.
  * No-ops if it already exists (409 Conflict).
@@ -192,19 +254,24 @@ export async function manageWellnessIssue(
       console.log(`Updated existing wellness issue #${existingIssue}`);
       return { action: 'updated', issueNumber: existingIssue };
     } else {
-      // Create new issue
+      // Create new issue with a stable title (no timestamp) so concurrent
+      // workflows can find it via findOpenWellnessIssue(). The timestamp
+      // is already in the issue body.
       const created = await githubApi<{ number: number }>(
         `/repos/${REPO}/issues`,
         {
           method: 'POST',
           body: {
-            title: `System wellness check failing (${report.timestamp})`,
+            title: WELLNESS_ISSUE_TITLE,
             body: report.issueBody,
             labels: ['wellness', 'bug'],
           },
         },
       );
 
+      // Best-effort dedup: close any duplicates from concurrent workflows
+      await deduplicateWellnessIssues();
+
       console.log(`Created new wellness issue #${created.number}`);
       return { action: 'created', issueNumber: created.number };
     }