Three fixes for the session lock false positive loop:
1. Multi-path cleanup: Lock files accumulate across main project .gsd/,
worktree .gsd/, and projects registry paths, but cleanup only targeted
the current gsdRoot(). Added a _lockDirRegistry Set that tracks all
paths where locks are created. Both the exit handler and
releaseSessionLock() now clean all registered paths.
2. onCompromised hardening: When proper-lockfile fires onCompromised past
the stale window, check if the lock file metadata still contains our
PID before declaring compromise. Long subagent executions can stall
the event loop beyond the 30-min stale window without actual takeover.
3. Error messages: Include the lock file path and PID in error messages,
and suggest `gsd doctor --fix` as the recovery path.
Closes#1578
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The ensureNodeModulesSymlink function silently failed when: a real
directory existed instead of a symlink, the symlink target moved after
npm upgrade, or the symlink pointed to a deleted location. All three
cases left extensions unable to resolve @gsd/* packages, making GSD
completely non-functional.
Three fixes:
1. Use lstatSync to detect real directories vs symlinks and handle each
2. Verify the symlink target actually exists before considering it valid
3. Log a warning on symlinkSync failure instead of silently swallowing
4. Move ensureNodeModulesSymlink before the early-return version check
so it runs on EVERY launch, not just during resource syncs
Closes#1688
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The eager top-level import of @gsd/pi-tui in shared/ui.ts caused any
command that transitively loaded the shared/mod barrel (including /exit)
to fail when extensions were loaded from ~/.gsd/agent/extensions/ where
@gsd/pi-tui has no node_modules resolution path.
Replaced the static import with a lazy require() accessor that defers
resolution to the first makeUI() call, so modules that import shared/mod
for non-TUI exports (constants, format utils, etc.) no longer trigger
the unresolvable dependency.
Closes#1640
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Milestones were being marked complete with only .gsd/ plan files and
zero implementation code. Add hasImplementationArtifacts() that checks
git diff against the main branch to verify non-.gsd/ files exist.
Applied in both verifyExpectedArtifact (post-unit gate) and the
completing-milestone dispatch rule (pre-dispatch guard).
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
When the process crashes between marking a task [x] in PLAN.md and
writing SUMMARY.md, the task appears done but has no summary. The doctor
previously papered over this by creating a stub summary, silently losing
the task. Now it unchecks the task so it re-executes on next run.
- Add markTaskUndoneInPlan to roadmap-mutations.ts
- Change doctor task_done_missing_summary fix: uncheck instead of stub
- Add markTaskUndoneInPlan helper to doctor.ts for async file ops
- Add test coverage for both the mutation and doctor behavior
Closes#1650
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
When mergeAndExit cannot find the roadmap at the project root, it now
tries the worktree path as a fallback. If neither location has a roadmap,
the teardown preserves the branch (preserveBranch: true) so commits are
not orphaned when the worktree is pruned.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The crash lock was written with the session file path from before
runUnit() called newSession(), causing crash recovery to look up the
previous unit's session file instead of the current one. This meant
recovery reported "No session data recovered" even when 261KB of session
data was on disk.
Split the lock write into two phases: a preliminary lock (unit info only,
no session path) before runUnit for crash identification, then a full
lock update with the correct session file path after runUnit returns.
Closes#1710
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
When .gsd is a symlink, git rejects `:!.gsd/...` pathspecs with
"beyond a symbolic link". nativeAddAllWithExclusions now catches this
error and falls back to plain `git add -A` (which respects .gitignore).
Auto-commit failures in postUnit are elevated from debug-only to a
visible warning notification so silent work loss is surfaced.
Closes#1712
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
When nativeCommit returns null (nothing to commit), the worktree directory
and milestone branch are now preserved instead of unconditionally deleted.
This prevents data loss on WSL where git's stat cache can cause
autoCommitCurrentBranch to skip commits.
Additionally, nativeMergeSquash now re-throws non-conflict git failures
(bad ref, corrupt repo) instead of masking them as { success: true }.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
When .gsd is a symlink, `worktreesDir()` returns the symlink path while
`nativeWorktreeList()` returns the resolved real path. The Set membership
check always fails, causing all worktrees to be flagged as orphaned and
deleted. Apply `realpathSync` and path separator normalization to both
sides of the comparison.
Closes#1715
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The extension loader emits "Extension does not export a valid factory
function" for shared libraries like cmux that live in the extensions/
directory but are not extensions. Previous fixes (#1537, #1545) added
pi manifest opt-out checks in the three discovery layers, but a
defense-in-depth gap remained: if any discovery path fails to filter
a library, loadExtension() reports it as a broken extension.
Add isNonExtensionLibrary() check in loadExtension() itself. When a
module does not export a factory function, the loader now checks the
nearest package.json for a "pi" manifest with no declared extensions
before reporting an error. Libraries with "pi": {} are silently
skipped instead of producing a spurious error on every startup.
Fixes#1709
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
consumeRetryTrigger() cleared the in-memory retry flag but did not undo
the doctor's [x] checkbox, delete SUMMARY.md, remove from completedUnits,
or delete the retry artifact. On the next loop iteration, deriveState()
saw the task as done and advanced past it — silently losing the retry.
When consumeRetryTrigger() returns a trigger, the code now:
1. Unchecks [x] → [ ] for the task in PLAN.md
2. Deletes SUMMARY.md for the task
3. Removes the unit from s.completedUnits and flushes to completed-units.json
4. Deletes the retry_on artifact (e.g. NEEDS-REWORK.md)
5. Invalidates caches so deriveState reads fresh disk state
Also extends the retry trigger type to include retryArtifact so the
consumer knows which artifact to clean up.
Fixes#1714
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Fixes#1726
Two bugs in bootstrapAutoSession():
1. The survivor branch check (Milestone branch recovery #601) included
needs-discussion in its phase filter. A branch created by a prior failed
bootstrap would set hasSurvivorBranch=true, skipping all showSmartEntry
calls and sending the session straight to auto-mode dispatch.
2. The !hasSurvivorBranch block only handled phase==="complete" and
phase==="pre-planning" with showSmartEntry calls. needs-discussion fell
through with no handler, reaching auto-mode which dispatched
"needs-discussion -> stop" immediately. Next /gsd run repeated the cycle.
Fix: Remove needs-discussion from the survivor branch phase filter (only
check pre-planning). Add an explicit needs-discussion handler that routes
to showSmartEntry and aborts if the discussion does not promote the draft.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
parseRoadmapSlices() only understood checkbox format. When LLMs generated
markdown tables (## Slice Overview with pipe-delimited rows), the parser
returned empty results causing all_tasks_done_roadmap_not_checked errors
and auto-mode loops.
Add parseTableSlices() to detect and parse table format including slice
IDs, titles, risk levels, completion status, and dependencies. Broaden
heading matcher to accept alternate slice section headings.
Fixes#1736
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Fixes#1725
Added extractContextTitle() helper to parse the H1 heading from
CONTEXT.md or CONTEXT-DRAFT.md files. When a milestone has no
ROADMAP.md or SUMMARY.md, the title is now extracted from the
context file's heading (e.g. '# M005: Platform Foundation')
instead of falling back to the bare milestone ID.
This affects the 'no roadmap, no summary' branch in _deriveStateImpl()
where milestone titles were previously hardcoded to the milestone ID.
Four fixes for auto-mode telemetry and display bugs:
1. Metrics idempotency guard (metrics.ts)
- snapshotUnitMetrics now deduplicates entries by type+id+startedAt
- Prevents idle-watchdog from creating N duplicate entries per unit
- On duplicate: updates existing entry in-place instead of appending
- Observed: 31 duplicate entries for a single plan-slice unit
2. Elapsed time zero-guard (auto.ts, auto-dashboard.ts, dashboard-overlay.ts)
- getAutoDashboardData guards against autoStartTime=0 (uninitialized)
- formatAutoElapsed rejects negative, NaN, and >30-day values
- Dashboard overlay adds 30-day sanity check before formatting
- Observed: dashboard showed '492804h' (Date.now() - 0)
3. Em/en-dash title auto-fix (doctor.ts)
- Doctor now sanitizes em/en dashes in milestone H1 titles when fix=true
- Replaces Unicode dashes with ASCII hyphens in the roadmap file
- Prevents state document delimiter ambiguity
- delimiter_in_title issues are now marked fixable=true
4. Tests for all three fix areas
- Metrics: idempotency guard, simulated watchdog duplicate pattern
- Dashboard: negative/NaN autoStartTime handling
- Doctor: em-dash auto-fix with fix=true and fix=false verification
Root cause analysis:
- The idle watchdog (auto-timers.ts) calls closeoutUnit every 15s when
idle is detected. closeoutUnit calls snapshotUnitMetrics which blindly
appended to ledger.units. Each watchdog tick created a new entry with
identical type/id/startedAt but incremented finishedAt.
- autoStartTime defaults to 0 in the session class. If getAutoDashboardData
is called before auto-start sets the value, elapsed = Date.now() - 0.
- Milestone titles with em-dashes (U+2014) are written by the LLM during
roadmap creation and never sanitized, causing permanent doctor warnings.
saveJsonFile() used raw writeFileSync which could produce corrupt/partial
files on crash or SIGKILL. This affected 4 callers: queue-order.ts,
metrics.ts, routing-history.ts, and reactive-graph.ts.
Fix: replace writeFileSync with write-to-tmp + renameSync (the same
pattern already used by writeJsonFileAtomic). The rename is atomic on
POSIX filesystems, ensuring the target file is always either the old
valid content or the new valid content — never a partial write.
Tests: 8 new tests covering:
- File creation with valid JSON
- No .tmp file leakage on success
- Parent directory auto-creation
- Atomic overwrite of existing files
- Round-trip compatibility with loadJsonFile
- Equivalence with writeJsonFileAtomic
- Large data objects
- Non-fatal on permission errors
Use Node's os module instead of hardcoded Unix paths:
- tui.ts: path.join(os.tmpdir(), 'tui') for debug dir
- cmux/index.ts: join(tmpdir(), 'cmux.sock') for default socket path
- voice/index.ts: os.homedir() as fallback instead of '/tmp'
Fixes portability on Windows and macOS where /tmp may not exist
or resolves to a different path (e.g. /private/tmp on macOS).
The discuss prompts (discuss.md, guided-discuss-milestone.md,
guided-discuss-slice.md) and queue.md had no web search budget guidance.
The mandatory investigation pass, question rounds, focused research, and
requirements all compete for the same per-turn web_search quota.
Research prompts (research-milestone.md, research-slice.md) already had
budget awareness. This commit adds consistent guidance to all four
discussion/queue prompts:
- Explicit per-turn budget note (typically 3-5 searches)
- Prefer resolve_library/get_library_docs over web_search for library docs
- Prefer search_and_read for one-shot topic research
- Target 2-3 searches in investigation, save budget for later phases
- Distribute searches across turns rather than clustering
- Clarify that multiple text spans per result are normal formatting
CI workflow:
- Replace fetch-depth: 0 with shallow clones (depth 1-2) in lint and
build jobs — saves ~30-60s per job
- Remove fetch-depth: 0 from build and windows-portability (default
depth 1 is sufficient for build/test)
Pipeline workflow:
- Add cache: 'npm' to dev-publish, test-verify, and prod-release
setup-node steps — saves ~1-2 min per job on npm ci
- Move ${{ }} expressions from run: blocks to env: variables in
prod-release and update-builder to prevent command injection vectors
- Use fetch-depth: 2 in update-builder (only needs parent diff)
Build-native workflow:
- Replace hardcoded sleep 30 + single verification with exponential
backoff polling (5s → 10s → 20s → 30s cap, max 5 attempts)
- Replace fixed 15s retry intervals in post-publish smoke test with
exponential backoff (5s → 10s → 20s → 30s cap, 8 attempts)
- Replace fixed 15s dist-tag verification loop with exponential
backoff (6 attempts vs 10 × 15s)
Estimated savings: ~5-10 min per full CI+pipeline run, ~1-3 min per
native build publish.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: TÂCHES <afromanguy@me.com>
Docs-only PRs (only .md files and docs/ changes) now skip the expensive
build, typecheck, and test jobs while still running lint and a new
docs-check job. The docs-check job runs a prompt injection scanner that
detects hidden directives, role overrides, system prompt markers, tool
call injection, and invisible Unicode in markdown prose (excluding
fenced code blocks and inline code spans).
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Cover all new features across README, commands, configuration,
auto-mode, and getting-started docs: GitHub sync extension, Skill
tool resolution, health check phase 2, forensics debugger upgrade,
auto PR on milestone completion, RUNTIME.md template, welcome screen,
GSD_HOME/GSD_PROJECT_ID env vars, browser/runtime UAT types, pipeline
decomposition, sliding-window stuck detection, and data-loss recovery.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(autocomplete): repair /gsd skip, add widget/next --debug completions, add discuss to description
- fix: bare `/gsd skip` (no args) fell through all handlers and hit the
"Unknown command" warning — add a usage message handler matching
`trimmed === "skip"` consistent with steer/knowledge/run-hook
- fix: `next` handler supports `--debug` (enables debug logging) but it
was absent from NESTED_COMPLETIONS; add alongside --verbose/--dry-run
- fix: `widget` accepts full|small|min|off args but had no autocomplete
entries; add widget to NESTED_COMPLETIONS with all four modes
- fix: `discuss` was in TOP_LEVEL_SUBCOMMANDS and fully implemented but
omitted from GSD_COMMAND_DESCRIPTION hint string; add it
* test(gsd): add autocomplete regressions for skip/widget/next/discuss
* fix(search): keep loop guard armed after firing to prevent infinite loop restart (#1671)
The consecutive duplicate search guard introduced in #949 reset both
`lastSearchKey` and `consecutiveDupeCount` to their zero-values when the
threshold was hit. This meant the very next identical call was treated as
a brand-new first search, restarting the window from scratch. The guard
fired every MAX_CONSECUTIVE_DUPES+1 calls but never permanently broke
the loop — the LLM could continue indefinitely with brief interruptions.
Remove the two reset lines on guard trigger so the state stays armed.
Every subsequent duplicate now immediately re-triggers the guard instead
of getting a fresh allowance. The counter still resets normally when a
different query is issued, preserving legitimate re-search behaviour.
Adds regression tests covering: initial threshold fire, persistent
re-triggering after the first fire, and clean reset on query change.
* fix(search): reset duplicate-loop guard on session start
* fix(worktree): detect default branch instead of hardcoding "main" on milestone merge (#1668)
Repos using `master` (or any non-`main` default branch) without a GSD
preferences file and without a milestone META.json would have
`mergeMilestoneToMain` fall back to the hardcoded string `"main"`, causing
`git checkout main` to fail. The worktree and milestone branch were left in
an indeterminate state with only a terse error message.
Two targeted fixes:
1. **auto-worktree.ts** — Replace `?? "main"` fallback with
`?? nativeDetectMainBranch(originalBasePath_)`. This function already
exists and is used in 9 other locations; it probes origin/HEAD, then
checks for `main`, `master`, and finally falls back to the current
branch. The resolution order is unchanged for the common case
(integration branch → prefs.main_branch → detected).
2. **worktree-resolver.ts** — Improve the merge-failure warning from a bare
"Milestone merge failed: <reason>" to an actionable message that
explicitly tells the user their worktree and milestone branch are
preserved, and what to do next (retry /complete-milestone or merge
manually). This prevents the panic of "is my code gone?" described in
the issue.
Tests added:
- `auto-worktree-milestone-merge.test.ts`: Test 7 creates a real git repo
with `master` as the default branch, no META.json, and no prefs, then
verifies the squash-merge succeeds and lands on `master`.
- `worktree-resolver.test.ts`: Asserts the failure message includes the
original error, the word "preserved", and a recovery suggestion.
* fix(recovery): add recover-gsd-1668 script for orphaned milestone commits
Users who hit the #1668 bug (milestone branch deleted before merge
succeeded) can use this script to recover their code from git's object
store before git gc prunes the orphaned commits (default: 14–90 days).
The script has two search strategies:
1. Git reflog — checks .git/logs/refs/heads/milestone/<ID> first.
Reflogs survive branch deletion for up to 90 days. This is the
fastest path and requires zero scanning.
2. Git fsck fallback — runs git fsck --unreachable --no-reflogs to
find all orphaned commit objects, then scores them in a single
git log --no-walk batch call (not per-commit git show, which would
be O(n) process launches). Scores by:
- Milestone ID match in subject (+100)
- GSD conventional commit pattern feat(M<id>...) (+50)
- Milestone-related keywords in subject (+20)
- Committed within last 7 days (+10)
Once a commit is selected (interactively or via --auto), the script
creates recovery/<1668>/<milestone-id> branch and prints the exact
commands to inspect, merge, and clean up.
Supports: --milestone <ID>, --dry-run, --auto
Platforms: bash (Linux/macOS) and PowerShell (Windows)
* feat: surface real doctor issue details in progress score widget
Previously the progress score traffic light (green/yellow/red) only
showed generic labels like "2 consecutive error units" or "Health
trend declining". The actual doctor issue descriptions were computed
in auto-post-unit but discarded before reaching the widget — only
aggregate counts were stored in HealthSnapshot.
Now the full data flows through:
- HealthSnapshot stores issue details (code, message, severity,
unitId) and fix descriptions alongside the counts
- recordHealthSnapshot() accepts optional issue/fix arrays
(backwards compatible — existing callers unchanged)
- getLatestHealthIssues() and getLatestHealthFixes() retrieve the
most recent details for display
- computeProgressScore() surfaces up to 5 real issue messages
(errors first) and up to 3 recent fixes as ProgressSignals
when the level is yellow or red
- Dashboard overlay renders signal details with ✓/✗/· icons
below the traffic light when degraded
This gives real-time visibility into what the auto-doctor is
detecting and fixing, without requiring manual /gsd doctor runs
or opening the full dashboard to investigate.
* feat: integrate doctor health data into visualizer and HTML reports
Phase 2b: close visibility gaps across visualizer and export surfaces.
Persistence (doctor.ts):
- Enrich DoctorHistoryEntry with issue details (severity, code,
message, unitId) and fix descriptions
- appendDoctorHistory now persists up to 10 issues per entry and
all fix descriptions to doctor-history.jsonl
- Export DoctorHistoryEntry type for consumers
Data layer (visualizer-data.ts):
- Add VisualizerDoctorEntry and VisualizerProgressScore types
- Extend HealthInfo with doctorHistory (last 20 persisted entries)
and progressScore (current in-memory traffic light)
- loadHealth reads doctor-history.jsonl synchronously and snapshots
current progress score when health data exists
TUI visualizer (visualizer-views.ts):
- Health tab now shows "Progress Score" section with traffic light
icon, summary, and all signal details (✓/✗/· prefixed)
- Health tab now shows "Doctor History" section with timestamped
entries, issue messages, and applied fixes
HTML export (export-html.ts):
- Health section includes progress score with colored indicator
and signal breakdown
- Health section includes "Doctor Run History" table with
timestamps, error/warning/fix counts, issue codes, expandable
issue messages, and fix descriptions
* feat: fill remaining health gaps — scope tagging, level notifications, human-readable logs
Gap fills:
Per-milestone/slice scope tagging:
- HealthSnapshot now stores scope (e.g. "M001/S02") from the
doctor run's unit context
- DoctorHistoryEntry persists scope to doctor-history.jsonl
- Visualizer and HTML reports display scope tags per entry
State transition notifications:
- setLevelChangeCallback() registers a handler for progress level
changes (green→yellow, yellow→red, red→green, etc.)
- auto-start.ts wires the callback to ctx.ui.notify on start
- auto.ts clears it on stop
- Notifications include the triggering issue message
Human-readable formatting throughout:
- formatHealthSummary() uses full words: "2 errors, 3 warnings ·
trend degrading · 1 fix applied · 1 of 5 consecutive errors
before escalation · latest: Missing PLAN.md for S03"
- DoctorHistoryEntry stores a human-readable summary field
built from error counts, fix counts, and top issue message
- Visualizer doctor history shows summary instead of "2E 1W 0F"
- HTML export doctor table uses summary column with scope tags
- Post-unit notification says what was fixed ("Doctor: rebuilt
STATE.md; cleared stale lock") instead of "applied 2 fix(es)"
Test updates:
- formatHealthSummary assertions updated for new readable format
* fix: default UAT type to artifact-driven to prevent unnecessary auto-mode pauses (#1651)
When a UAT file has no `## UAT Type` section, `extractUatType()` returns
`undefined`. The fallback was `"human-experience"`, causing `pauseAfterDispatch:
true` in the auto-dispatch rule. Since doctor-generated UAT placeholders never
include a UAT Type section and LLM-executed UATs are always artifact-driven,
the correct default is `"artifact-driven"`.
Closes#1649
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: remove duplicate doctorScope declaration (CI build fix)
* fix: resolve PR1644 regressions in health views and post-unit hook
* fix: add spacing to commit time display and show issue details in widget
- Remove space-stripping from git timeAgo ("82seconds" → "82 seconds")
- Show up to 3 negative health signals below the widget header when
degraded (yellow/red), so you see what's actually wrong without
opening the dashboard
---------
Co-authored-by: TÂCHES <afromanguy@me.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
syncWorktreeStateBack() only processed files directly in each slice
directory, silently skipping the tasks/ subdirectory. Task-level
summaries (T01-SUMMARY.md, T02-SUMMARY.md, etc.) were therefore never
copied from the worktree back to the project root before teardown,
causing data loss when the worktree was removed on milestone completion.
Fix: detect the tasks/ directory entry in the inner loop and recurse
into it, copying all .md files and appending them to the synced list.
Consistent with how syncStateToProjectRoot() already uses recursive
copy via safeCopyRecursive().
Adds regression test (case 8 in worktree-sync-milestones.test.ts)
covering slice-level and task-level summary sync.
* fix(worktree): recurse into tasks/ when syncing slice artifacts back to project root (#1678)
syncWorktreeStateBack() only processed files directly in each slice
directory, silently skipping the tasks/ subdirectory. Task-level
summaries (T01-SUMMARY.md, T02-SUMMARY.md, etc.) were therefore never
copied from the worktree back to the project root before teardown,
causing data loss when the worktree was removed on milestone completion.
Fix: detect the tasks/ directory entry in the inner loop and recurse
into it, copying all .md files and appending them to the synced list.
Consistent with how syncStateToProjectRoot() already uses recursive
copy via safeCopyRecursive().
Adds regression test (case 8 in worktree-sync-milestones.test.ts)
covering slice-level and task-level summary sync.
* feat(cleanup): add ~/.gsd/projects/ orphan detection and pruning
Introduces a complete lifecycle management story for the external project
state directory (~/.gsd/projects/<hash>/). Previously these directories
accumulated indefinitely with no mechanism to identify or remove them
after a repo was deleted or moved.
Changes:
repo-identity.ts
- Write `repo-meta.json` into each external state dir on first open
(and backfill on any subsequent open if the file is missing).
- Records: version, hash (dir name), gitRoot, remoteUrl, createdAt.
- Non-fatal: metadata write failure never blocks project setup.
- Export `readRepoMeta()` and `RepoMeta` interface for consumers.
doctor-types.ts
- Add `orphaned_project_state` to DoctorIssueCode.
- Add `GLOBAL_STATE_CODES` set — codes that must never be auto-fixed
at fixLevel=task (post-task automated health checks must not delete
project state directories).
doctor-checks.ts
- Add `checkGlobalHealth()` — scans ~/.gsd/projects/, reads repo-meta.json
from each dir, reports info-severity issue for any whose gitRoot is gone.
- Auto-fixable with --fix; skipped entirely at fixLevel=task.
doctor.ts
- Import and call `checkGlobalHealth` after `checkRuntimeHealth`.
- Gate on `GLOBAL_STATE_CODES` in `shouldFix` at task fixLevel.
commands-maintenance.ts
- Add `handleCleanupProjects(args, ctx)` — interactive audit command.
- Categorises dirs as active / orphaned / unknown (no metadata yet).
- Without --fix: prints full report with per-dir gitRoot + remoteUrl.
- With --fix: deletes orphaned dirs, reports removed/failed counts.
commands/handlers/ops.ts
- Route `cleanup projects` and `cleanup projects --fix` to handler.
commands/catalog.ts
- Add `projects` and `projects --fix` to cleanup tab-completions.
* feat(cleanup): add metrics.json bloat detection and pruning
The metrics ledger has no TTL and grows by one entry per completed unit —
~1-2 KB/entry with no ceiling. On a busy project (50 units/day) this
reaches 4-9 MB in 90 days and continues growing indefinitely.
Changes:
metrics.ts
- Add pruneMetricsLedger(base, keepCount): trims oldest entries from the
head of the units array, keeping the newest `keepCount`. Updates both
the on-disk file and the in-memory ledger if a session is active.
doctor-types.ts
- Add "metrics_ledger_bloat" to DoctorIssueCode.
doctor-checks.ts (checkRuntimeHealth)
- Add metrics ledger bloat check after the existing integrity check.
- Threshold: 2000 units / fires as "warning".
- Fix: prune to newest 1500 entries via pruneMetricsLedger().
- Reports both the unit count and file size in MB in the issue message.
* fix cleanup project-state path and repo-meta refresh
* fix: prevent parallel worktree path resolution from escaping to home directory
When .gsd is a symlink into ~/.gsd/projects/<hash> (the default layout),
parallel workers resolve their cwd through the symlink. findWorktreeSegment()
then matches /.gsd/ at the user-level ~/.gsd boundary instead of the project
.gsd, causing resolveProjectRoot() to return ~ as the project root.
This corrupts ~/.gsd, creates ~/.git, and crashes pi.
Fix (3 layers):
1. Pass GSD_PROJECT_ROOT env var from coordinator to workers — the
coordinator already knows the real basePath unambiguously.
2. In resolveProjectRoot(), detect when the candidate root's .gsd
matches the user-level ~/.gsd and fall back to reading the worktree's
.git file (gitdir: pointer) to recover the real project root.
3. Existing validateDirectory() already blocks ~ — but the bug bypassed
it because the worktree path itself was 'safe'.
Also fixes the existing test that asserted the buggy behavior as correct.
Closesgsd-build/gsd-2#1676
* fix worktree root resolution for deep symlink paths
---------
Co-authored-by: Vojtěch Šplíchal <splichal@gmail.com>
* fix: prune stale env-utils.js from extensions root, preventing startup load error
- Move env-utils.ts from extensions/ root into gsd/ subdirectory
- Update all import paths to reflect new location
- Add manifest-based tracking in resource-loader to record which root-level
extension files are installed, so future upgrades can detect and prune files
that get removed or relocated (preventing recurrence)
- Add known-stale fallback for pre-manifest upgrades (explicitly removes
env-utils.js which was moved into gsd/ in this release)
- Remove re-export block from auto.ts that referenced relocated symbols
- Clean up session_start handler in native-search.ts (remove provider diagnostics
that were duplicating info already shown by model_select)
- Update welcome-screen layout to two-panel bar design for visual consistency
* fix: resolve PR1655 extension load and compile regressions
* fix: remove duplicate _clearGsdRootCache export
* fix: restore native-search session_start diagnostics
* fix(gsd extension): detect initialized projects in health widget
Use .gsd presence plus project-state detection for the health widget so bootstrapped projects no longer appear as unloaded before metrics exist.
* fix(gsd extension): detect initialized projects in health widget
Use .gsd presence plus project-state detection for the health widget so bootstrapped projects no longer appear as unloaded before metrics exist.
* feat: add Skill tool resolution for Pi agent
Expose a built-in Skill tool so dispatched prompts can resolve skill names without guessing file paths. This aligns runtime behavior with skill activation prompts and adds coverage for exact activation and unknown-skill handling.
Replaces the rounded box-corner two-panel layout (╭╮╰╯) with full-width
cyan ─ bars at top and bottom, matching the auto-mode progress widget's
ui.bar() style exactly. The inner │ divider and ├─ section separators are
kept (dimmed) so the two-panel logo/info layout is preserved.
Changes:
- Top/bottom borders: chalk.cyan('─'.repeat(termWidth)) — same as widget ui.bar()
- Outer vertical box borders removed; inner │ divider kept as dim separator
- Section dividers changed to dim ├──── style
- Trailing spaces removed from hint/version strings (no closing │ to pad against)
- Panel width formula updated: 1 + LEFT_INNER + 1 + RIGHT_INNER = termWidth
* feat: surface real doctor issue details in progress score widget
Previously the progress score traffic light (green/yellow/red) only
showed generic labels like "2 consecutive error units" or "Health
trend declining". The actual doctor issue descriptions were computed
in auto-post-unit but discarded before reaching the widget — only
aggregate counts were stored in HealthSnapshot.
Now the full data flows through:
- HealthSnapshot stores issue details (code, message, severity,
unitId) and fix descriptions alongside the counts
- recordHealthSnapshot() accepts optional issue/fix arrays
(backwards compatible — existing callers unchanged)
- getLatestHealthIssues() and getLatestHealthFixes() retrieve the
most recent details for display
- computeProgressScore() surfaces up to 5 real issue messages
(errors first) and up to 3 recent fixes as ProgressSignals
when the level is yellow or red
- Dashboard overlay renders signal details with ✓/✗/· icons
below the traffic light when degraded
This gives real-time visibility into what the auto-doctor is
detecting and fixing, without requiring manual /gsd doctor runs
or opening the full dashboard to investigate.
* feat: integrate doctor health data into visualizer and HTML reports
Phase 2b: close visibility gaps across visualizer and export surfaces.
Persistence (doctor.ts):
- Enrich DoctorHistoryEntry with issue details (severity, code,
message, unitId) and fix descriptions
- appendDoctorHistory now persists up to 10 issues per entry and
all fix descriptions to doctor-history.jsonl
- Export DoctorHistoryEntry type for consumers
Data layer (visualizer-data.ts):
- Add VisualizerDoctorEntry and VisualizerProgressScore types
- Extend HealthInfo with doctorHistory (last 20 persisted entries)
and progressScore (current in-memory traffic light)
- loadHealth reads doctor-history.jsonl synchronously and snapshots
current progress score when health data exists
TUI visualizer (visualizer-views.ts):
- Health tab now shows "Progress Score" section with traffic light
icon, summary, and all signal details (✓/✗/· prefixed)
- Health tab now shows "Doctor History" section with timestamped
entries, issue messages, and applied fixes
HTML export (export-html.ts):
- Health section includes progress score with colored indicator
and signal breakdown
- Health section includes "Doctor Run History" table with
timestamps, error/warning/fix counts, issue codes, expandable
issue messages, and fix descriptions
* feat: fill remaining health gaps — scope tagging, level notifications, human-readable logs
Gap fills:
Per-milestone/slice scope tagging:
- HealthSnapshot now stores scope (e.g. "M001/S02") from the
doctor run's unit context
- DoctorHistoryEntry persists scope to doctor-history.jsonl
- Visualizer and HTML reports display scope tags per entry
State transition notifications:
- setLevelChangeCallback() registers a handler for progress level
changes (green→yellow, yellow→red, red→green, etc.)
- auto-start.ts wires the callback to ctx.ui.notify on start
- auto.ts clears it on stop
- Notifications include the triggering issue message
Human-readable formatting throughout:
- formatHealthSummary() uses full words: "2 errors, 3 warnings ·
trend degrading · 1 fix applied · 1 of 5 consecutive errors
before escalation · latest: Missing PLAN.md for S03"
- DoctorHistoryEntry stores a human-readable summary field
built from error counts, fix counts, and top issue message
- Visualizer doctor history shows summary instead of "2E 1W 0F"
- HTML export doctor table uses summary column with scope tags
- Post-unit notification says what was fixed ("Doctor: rebuilt
STATE.md; cleared stale lock") instead of "applied 2 fix(es)"
Test updates:
- formatHealthSummary assertions updated for new readable format
* fix: default UAT type to artifact-driven to prevent unnecessary auto-mode pauses (#1651)
When a UAT file has no `## UAT Type` section, `extractUatType()` returns
`undefined`. The fallback was `"human-experience"`, causing `pauseAfterDispatch:
true` in the auto-dispatch rule. Since doctor-generated UAT placeholders never
include a UAT Type section and LLM-executed UATs are always artifact-driven,
the correct default is `"artifact-driven"`.
Closes#1649
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: remove duplicate doctorScope declaration (CI build fix)
* fix: resolve PR1644 regressions in health views and post-unit hook
---------
Co-authored-by: TÂCHES <afromanguy@me.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* refactor: add PhaseResult/IterationContext/LoopState types to auto-loop
No behavioral changes. Pure type additions for upcoming phase extraction.
* refactor: extract runFinalize() from autoLoop body
No behavioral changes. Pure structural extraction.
* refactor: extract runUnitPhase() from autoLoop body
No behavioral changes. Pure structural extraction.
* refactor: extract runGuards() from autoLoop body
No behavioral changes. Pure structural extraction.
* refactor: extract runDispatch() from autoLoop body
No behavioral changes. Pure structural extraction.
* refactor: extract runPreDispatch() from autoLoop body
No behavioral changes. Pure structural extraction.
Completes autoLoop pipeline phase decomposition:
runPreDispatch → runGuards → runDispatch → runUnitPhase → runFinalize
* refactor: hoist loopState before autoLoop loop, drop sync-back hacks
loopState was created inside the loop each iteration, requiring 3 manual
sync-backs for stuckRecoveryAttempts (number copy-by-value). Hoist it
before the loop so it's a true persistent mutable struct across iterations.
The forensics prompt listed only 5 source files and told the agent to
"analyze the report." This led to shallow analysis and hallucinated
paths because the agent had no knowledge of the source layout, runtime
paths, activity log format, or crash lock structure.
The rewritten prompt gives the forensics agent a complete source map
organized by domain, the full .gsd/ directory structure, data format
references for activity logs / crash locks / metrics, and a step-by-step
investigation protocol that requires tracing from symptom to specific
file:line in GSD source before filing an issue.
Closes#1656
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The forensics prompt references "activity logs" in natural language but
never provides the actual filesystem paths. This causes the LLM agent to
hallucinate paths like `activity-logs/` when it needs to inspect raw JSONL
logs beyond the pre-parsed forensic data.
Adds a "Key Runtime Paths" section with concrete `.gsd/` paths for
activity logs, debug logs, runtime state, crash lock, completed units,
and forensics reports.
Closes#1652
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The progress widget's render() synchronously accesses sessionManager
state via cmdCtx. When newSession() is in-flight, this can block the
TUI input loop, freezing the terminal. Guard render() to return the
last cached frame while a session switch is in progress.
Closes#1653
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Refactor GSD command/bootstrap modules
* fix: resolve TypeScript build errors in refactored db-tools and catalog
- db-tools.ts: add missing execute callback params (signal, onUpdate, ctx),
remove isError from return objects (not in AgentToolResult type), cast
details as any to avoid union type mismatch across error/success paths
- catalog.ts: use Object.entries() on TemplateRegistry.templates Record
instead of treating it as an array, use Record key as template id
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: update source-contract tests to reference refactored file locations
The god-file refactor moved code from index.ts and commands.ts into
bootstrap/agent-end-recovery.ts, bootstrap/register-hooks.ts, and
commands/handlers/core.ts. Update three test files to read from the
correct paths and adjust pattern assertions to match the new code
structure.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
When a UAT file has no `## UAT Type` section, `extractUatType()` returns
`undefined`. The fallback was `"human-experience"`, causing `pauseAfterDispatch:
true` in the auto-dispatch rule. Since doctor-generated UAT placeholders never
include a UAT Type section and LLM-executed UATs are always artifact-driven,
the correct default is `"artifact-driven"`.
Closes#1649
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
When a unit spawns background jobs via async_bash, job completion callbacks
fire follow-up messages after agent_end has resolved. The auto-loop has
moved on but the previous session's LLM processes these follow-ups, adding
12-45s of wasted time and ~14 unnecessary turns per unit.
Two complementary fixes:
1. Cancel all running background jobs on session_before_switch so
completion callbacks never fire for the old session.
2. Clear the follow-up queue after runUnit() completes as defense-in-depth,
discarding any already-queued notifications before the next session starts.
Closes#1642
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: add recovery script for #1364 .gsd/ data-loss regression
Adds scripts/recover-gsd-1364.sh to help users whose .gsd/ files were
deleted by the ensureGitignore bug in v2.33.x–v2.35.x.
The script handles both damage scenarios:
- Scenario A: .gsd files deleted in working tree but not yet committed
- Scenario B: git rm --cached .gsd/ was committed (files gone from HEAD)
Steps performed:
1. Detects whether the repo is affected (symlink check, .gitignore scan,
git history scan)
2. Finds the last clean commit before ".gsd" was added to .gitignore
3. Restores all deleted .gsd/ files via git checkout <clean-commit> -- .gsd/
4. Removes the bare ".gsd" line from .gitignore
5. Stages both changes and prints the ready-to-commit command
Supports --dry-run to preview without making changes.
Safe to run on unaffected repos — exits early with no modifications.
Closes#1364
* fix: add Windows PowerShell recovery script for #1364
Adds scripts/recover-gsd-1364.ps1, a PowerShell equivalent of the bash
recovery script for users on Windows.
Windows-specific differences handled:
- Junction detection: GSD's migrateToExternalState() uses symlinkSync()
with type "junction" on Windows instead of a POSIX symlink. The script
checks Get-Item.LinkType for both "SymbolicLink" and "Junction" so
migrated repos exit cleanly on step 1.
- .gitignore rewrite uses [System.IO.File]::WriteAllLines() with UTF-8
no-BOM encoding to match git's expectations on Windows, rather than
shell redirection which can introduce BOM or CRLF issues.
- All git invocations use execFileSync-style array args via Invoke-Git
helper — no shell string eval, no quoting edge cases.
- Colour output uses Write-Host -ForegroundColor instead of ANSI escapes.
- -DryRun is a proper PowerShell switch parameter.
Also updates recover-gsd-1364.sh header to:
- Clarify it is Linux/macOS only
- Point Windows users to the .ps1
- Correct the affected version range to v2.30.0-v2.35.x (was 2.33.x)
- Reference the three residual vectors on v2.36.0-v2.38.0 (PR #1635)
Usage on Windows:
powershell -ExecutionPolicy Bypass -File scripts\recover-gsd-1364.ps1
powershell -ExecutionPolicy Bypass -File scripts\recover-gsd-1364.ps1 -DryRun
* fix(gsd): close residual #1364 data-loss vectors on v2.36.0+
Two targeted fixes that close the three remaining paths where .gsd/
tracked files can still be silently deleted after the v2.36.0 fix.
--- Path 1: hasGitTrackedGsdFiles fails open on git error (gitignore.ts)
nativeLsFiles() swallows git failures via allowFailure=true and returns
[], making hasGitTrackedGsdFiles() indistinguishable between "nothing
tracked" and "git failed". On any transient git failure (locked index,
binary not on PATH, corrupted .git/index), the function returned false
and .gsd was added to .gitignore, deleting all tracked state.
Fix: after nativeLsFiles returns [], verify git is reachable with a
cheap rev-parse call. If git is unavailable, return true (fail safe —
assume tracked). The outer catch also returns true instead of false.
--- Path 2: migration never cleans git index (migrate-external.ts)
migrateToExternalState() correctly creates the .gsd symlink/junction but
never ran `git rm -r --cached .gsd/`. All previously tracked .gsd/* files
remained in the git index pointing through the new symlink, which git
cannot follow — causing PROJECT.md, milestones/, REQUIREMENTS.md etc. to
appear as deleted in git status immediately after every migration.
Fix: after the symlink is verified, run:
git rm -r --cached --ignore-unmatch .gsd
--ignore-unmatch makes this a no-op on fresh/untracked projects.
--- Path 3: race between migration and ensureGitignore
Resolved by Path 2. If migration always cleans the index, the race
window (another process converting .gsd/ to a symlink between the
migrateToExternalState() and ensureGitignore() calls) is harmless —
the index is already clean and there is nothing to lose.
--- Tests added (gitignore-tracked-gsd.test.ts)
- hasGitTrackedGsdFiles returns true (fail-safe) when git is unavailable
(simulated via .git/index.lock to force git ls-files failure)
- migrateToExternalState cleans git index so tracked files don't show
as deleted after successful migration
Fixes residual vectors from #1364 (original fix: #1367, v2.36.0)
* fix(recovery): add Scenario C support to recover-gsd-1364 scripts
Scenario C: .gsd/ is already a symlink/junction (migration succeeded on
the filesystem) but `git rm -r --cached .gsd/` was never run, leaving
tracked .gsd/* files appearing as deleted in git status.
Both bash and PowerShell scripts previously exited early at Step 1 when
they detected a symlink. Now they continue with a dedicated Scenario C
path through all steps:
- Step 1: sets GSD_IS_SYMLINK flag, continues instead of exiting
- Step 2: inverted .gitignore check — warns if .gsd is MISSING (should
be present for external-state layout) rather than if it's present
- Step 3: skips commit-history scan (index issue only, no file restore
needed); exits clean if no stale entries found
- Step 4: skips damage-commit search (nothing to restore from history)
- Step 5: runs `git rm -r --cached --ignore-unmatch .gsd` to clean the
stale index entries instead of restoring files from a prior commit
- Step 6: appends .gsd to .gitignore instead of removing it
- Step 7: stages only .gitignore (not .gsd/) to avoid the "gitignored
path" error; the index cleanup from Step 5 is already staged
- Summary: uses a distinct commit message for Scenario C
Smoke-tested against a synthetic repo that replicates the exact Scenario
C failure mode (symlink in place, git rm --cached never run).
