Consolidate all worktree sync, resource staleness, stale worktree escape,
and stale runtime unit cleanup into auto-worktree.ts. Extract shared
ROOT_STATE_FILES constant and isSamePath helper to eliminate triple
duplication of the rootFiles array and copy-pasted symlink checks.
Replace inline 26-line stale-unit cleanup in auto-start.ts with a call
to cleanStaleRuntimeUnits().
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Remove duplicate resolveExpectedArtifactPath() and diagnoseExpectedArtifact()
from auto-recovery.ts, making auto-artifact-paths.ts the single source of truth.
auto-recovery.ts re-exports both functions for backward compatibility.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
guided-flow.ts has its own local implementation; the exported version
in auto-recovery.ts was never imported anywhere. Removes 35 lines of
dead code, the unused clearUnitRuntimeRecord import, and associated
tests.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
session-forensics.ts is a general-purpose JSONL parser that had a direct
import of getAutoWorktreePath from auto-worktree.ts, creating tight
coupling. getDeepDiagnostic now accepts an optional worktreePath parameter
instead of resolving it internally. The caller (auto.ts) resolves the
worktree path via readActiveMilestoneId + getAutoWorktreePath and passes
it in.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Remove basePath and unitId from RunVerificationGateOptions — they were
defined in the interface and passed by callers but never read by
runVerificationGate(). This eliminates false coupling where callers
compute values that have zero effect.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Delete unused resource-version.ts (functions duplicated in auto-worktree-sync.ts
with zero imports). Remove GitServiceImpl.git() private method with no call sites.
Clean up orphaned section headers and dangling JSDoc in git-service.ts.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
SLICE_BRANCH_RE, QUICK_BRANCH_RE, and WORKFLOW_BRANCH_RE were scattered
across worktree.ts and git-service.ts. Extract all three into
branch-patterns.ts as the single source of truth. Both original modules
re-export for backward compatibility — no consumer changes needed.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The lock acquisition had a primary path and a retry path with identical
28-line onCompromised callbacks and 6-line state assignment blocks (68 lines
of copy-paste). Extract into createLockCompromisedHandler() and
assignLockState() helpers so bug fixes only need to be applied once.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The doctor-environment and doctor-git tests used assertTrue and assertEq
which are not defined — they should be assert.ok and assert.equal from
the imported node:assert/strict module.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
These test files imported `assert` from node:assert/strict but used
assertTrue/assertEq (from test-helpers.ts createTestContext) without
importing them, breaking typecheck:extensions on main and all PRs.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The GSD extension only listened for session_start, not session_switch.
When /resume switched to a previous session, GSD's write-gate, loop guard,
discussion flow, service tier, and tool API keys were never re-initialized,
leaving GSD in stale state from the prior session.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace the free-form parameter listing in step 7 of complete-milestone.md
with structured, typed parameter definitions that match the tool schema in
db-tools.ts. Parameters are grouped into required and optional sections with
explicit types (marking arrays as arrays, booleans as booleans) to prevent
LLM validation failures when calling gsd_complete_milestone.
Fixes#2581
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The forensics prompt and gh skill used --label "bug" / --label "type:feature"
for issue classification, polluting the label taxonomy and leaving the Type
field unset. gh issue create has no --type flag, so issue types must be set
via GraphQL mutation after creation.
Closes#2579
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Auto-mode sessions are long-running (minutes to hours) with their own
internal per-unit timeout via auto-supervisor. The 300s overall timeout
was killing active sessions mid-execution, triggering wasteful restart
cycles.
Changes:
- Disable overall timeout for auto-mode when using the default 300s
(user can still set --timeout explicitly, including --timeout 0)
- Guard timeout timer creation for null when timeout is 0
- Cancel overall timeout when new-milestone --auto chains into auto-mode
- Fix headless auto-responder to pick "Force start" for lock-guard
prompts instead of "View status" (which silently blocked auto-mode)
- Allow --timeout 0 to explicitly disable timeout for any command
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(auto): align UAT artifact suffix with gsd_slice_complete output
The auto-mode files referenced UAT-RESULT as the artifact suffix,
but gsd_slice_complete writes files as S##-UAT.md. This mismatch
caused ENOENT errors during validate-milestone dispatch.
Fixes#2564
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(auto): update test and doc references from UAT-RESULT to UAT
Aligns test assertions and ADR documentation with the corrected
artifact suffix.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(auto): replace separate UAT-RESULT file check with in-file verdict check
The original two-file model (UAT spec + UAT-RESULT verdict) never
worked because gsd_slice_complete only writes S##-UAT.md. The blind
string replacement made checkNeedsRunUat always return null by
resolving the same file twice. Now checks for a verdict: line inside
the UAT file content to determine if UAT has been completed.
Also deduplicates a redundant resolveSliceFile call in the verdict
gate and updates tests to verify the single-file verdict model.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
SessionLockData no longer has a completedUnits field. Use sessionFile
(an actual optional field) for the same assertion coverage.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
onCompromised was declaring lock lost when the lock file was temporarily
unreadable (NFS/CIFS latency, macOS APFS snapshot, or concurrent process
briefly holding the file). Add readExistingLockDataWithRetry (3 attempts,
200ms delay) so transient filesystem hiccups do not trigger false-positive
compromise events.
Fixes#2324
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
When running GSD from a subdirectory (e.g. `cd src/ && gsd`),
ensureGsdSymlink would create a new `.gsd` symlink in the subdirectory
even though a valid `.gsd` already exists at the git root. On macOS
APFS this triggers the `.gsd 2` collision variant problem from #2205.
Add an early guard that detects when projectPath is a plain subdirectory
(not a worktree) of a git repo that already has `.gsd` at its root, and
returns the existing root .gsd target instead of creating a duplicate.
Fixes#2380
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
EAGAIN (resource temporarily unavailable) is a resource exhaustion error
that cannot be recovered by retrying, yet it was missing from the infra
error set. This caused auto-mode to keep retrying on EAGAIN failures,
burning LLM budget on guaranteed failures.
Fixes#2359
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Native search: use monotonic high-water mark (Math.max) instead of
overwriting sessionSearchCount from history. Prevents budget reset
when context compaction removes web_search_tool_result blocks.
- Custom search tool: add MAX_SEARCHES_PER_SESSION=15 hard cap across
all queries (not just consecutive duplicates). Returns budget_exhausted
error when limit reached.
- Tighten MAX_CONSECUTIVE_DUPES from 3 to 1 — block on the 2nd identical
search since cached results make repeats pointless.
- Add tests for compaction-safe high-water mark, session budget
enforcement, and budget reset on session_start.
Closes#2583
The hydrateRemoteTokensFromAuth() function used require() to load
AuthStorage from @gsd/pi-coding-agent, but the package is ESM-only
("type": "module" with only an "import" export condition). Node's
require() always throws for ESM packages, and the outer try/catch
silently swallowed the error — making hydration a no-op.
Replace require() with a static ESM import (consistent with every
other extension) and use AuthStorage.create() which resolves the
auth.json path internally via getAgentDir().
Closes#2565
Adds /^[a-z0-9][a-z0-9-]*$/ validation in formatSkillActivationBlock() so that
skill names containing quotes, braces, or other special characters are silently
filtered out before interpolation into the prompt string.
Addresses the prompt injection surface noted by @trek-e in PR review.
Updates the special-character test to verify rejection instead of passthrough.
Address review feedback:
- Update comment to clarify that the function-call-like syntax led
LLMs to infer a positional parameter name (not 'positional-looking')
- Add test documenting current behavior when skill names contain
special characters (quotes, apostrophes)
The skill activation block used positional-looking syntax
`Call Skill('name')` which caused LLMs (especially non-Anthropic
models) to pass `{name: "..."}` instead of the required
`{skill: "..."}` parameter. This triggered tool validation failures
and stuck dispatch loops in auto-mode.
Change the prompt template to `Call Skill({ skill: 'name' })` which
makes the parameter name explicit and matches the Skill tool schema.
Update all 4 affected test assertions to match the new format.
Closes#2224
writeIntegrationBranch already rejects slice branches (SLICE_BRANCH_RE) and
quick-task branches (QUICK_BRANCH_RE), but has no guard for the 8 workflow-
template branches (gsd/hotfix/*, gsd/bugfix/*, gsd/spike/*, etc.). When a
user runs `/gsd start hotfix` during an active milestone, the ephemeral
hotfix branch gets recorded as the integration target and the milestone
later merges to the wrong branch.
Add WORKFLOW_BRANCH_RE (/^gsd\/(?!M\d)[\w-]+\//) that matches all
gsd/<templateId>/<slug> branches while excluding milestone slice branches
(gsd/M001/S01). The negative lookahead ensures milestone branches starting
with 'M' followed by a digit are not affected.
Same root cause as gsd/quick/* (#1293, PR #1342).
Closes#2498
