From b9baf42a475ed5f939accabe0ec7b775b1f9804d Mon Sep 17 00:00:00 2001 From: Tibsfox Date: Mon, 6 Apr 2026 19:02:53 -0700 Subject: [PATCH] fix(gsd): add verification gate to complete-slice tool complete-slice had no check on the provided verification/UAT content, allowing agents to mark slices complete even when verification clearly failed. The prompt told agents to always call the tool, but the tool blindly accepted. Now rejects completion when verification or UAT content contains blocked/failed signals (status: blocked, verification_result: failed, etc.), forcing agents to address blockers before advancing. Closes #3580 Co-Authored-By: Claude Opus 4.6 (1M context) --- src/resources/extensions/gsd/tools/complete-slice.ts | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/resources/extensions/gsd/tools/complete-slice.ts b/src/resources/extensions/gsd/tools/complete-slice.ts index bf374a622..90edd0b00 100644 --- a/src/resources/extensions/gsd/tools/complete-slice.ts +++ b/src/resources/extensions/gsd/tools/complete-slice.ts @@ -233,6 +233,15 @@ export async function handleCompleteSlice( return { error: ownershipErr }; } + // ── Verification content gate (#3580) ────────────────────────────────── + // Reject completion when the provided verification/UAT clearly indicates + // the slice is blocked or failed. Prevents prompt regressions from + // silently advancing blocked slices. + const BLOCKED_SIGNALS = /\b(status:\s*blocked|verification_result:\s*failed|slice is blocked|cannot complete|verification failed)\b/i; + if (BLOCKED_SIGNALS.test(params.verification || "") || BLOCKED_SIGNALS.test(params.uatContent || "")) { + return { error: `slice verification indicates blocked/failed state — do not complete a slice that has not passed verification. Address the blockers and re-verify first.` }; + } + // ── Guards + DB writes inside a single transaction (prevents TOCTOU) ─── const completedAt = new Date().toISOString(); let guardError: string | null = null;