* fix: remove @gsd/* cross-deps that break npm install (#hotfix)
Workspace packages declared @gsd/* as dependencies in their own
package.json files. npm's bundleDependencies bundles packages into
node_modules/ but still tries to resolve sub-dependencies from the
registry — causing 404s for the unpublished @gsd/* scope.
- Remove @gsd/* from all dependencies (root and workspace packages)
- Add validate-pack.sh: tests tarball installability before publish
- Wire validate-pack into CI (every PR) and publish pipeline
- Bump to v2.10.10
- Update changelog
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: drop bundleDependencies, use postinstall symlinks instead
bundleDependencies with workspace packages causes npm to resolve
@gsd/* from the registry during install — 404 since they're not
published. Replace with a postinstall script that creates
node_modules/@gsd/* symlinks pointing to packages/*.
- Remove @gsd/* from dependencies and bundleDependencies
- Add link-workspace-packages.cjs (CJS, runs before ESM postinstall)
- Update validate-pack to verify symlinks after install
- Include link script in files array
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: robust validate-pack + fallback workspace linking
- Keep @gsd/* in bundleDependencies (for npm pack bundling)
- Remove @gsd/* from root dependencies (prevents 404 registry lookups)
- Add link-workspace-packages.cjs fallback for when bundled symlinks
aren't created
- Simplified validate-pack with better error diagnostics
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: remove bundleDependencies — use postinstall symlinks only
npm 10.x fetches packument metadata for ALL deps including bundled ones.
@gsd/* packages don't exist on npm → 404 → hard install failure.
bundleDependencies is fundamentally broken for unpublished workspace
packages. Replace with:
- packages/ shipped via files array (already was)
- link-workspace-packages.cjs creates node_modules/@gsd/* symlinks in
postinstall, pointing to packages/*
- No @gsd/* in dependencies or bundleDependencies at all
Tarball drops from 40M to 3M (no bundled node_modules).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: add .npmignore to prevent .gitignore from excluding dist/
.gitignore contains /dist/ and packages/*/dist/ which are needed in
the published tarball. Without .npmignore, npm pack respects .gitignore
and excludes them — even though "files" in package.json should override.
An empty .npmignore causes npm to ignore .gitignore entirely, letting
the "files" field control what's packed.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: avoid SIGPIPE in validate-pack on Linux
tar | grep -q causes SIGPIPE (exit 141) on Linux when grep closes the
pipe early. Write tar listing to a temp file and grep that instead.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: normalize .ts import extensions to .js for Node 22.22+ compatibility
Node 22.22.0's --experimental-strip-types handles .ts import specifiers
differently, causing ERR_INVALID_TYPESCRIPT_SYNTAX in CI. The project
convention uses .js specifiers with a custom resolve hook that rewrites
them to .ts at test time.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: replace better-sqlite3 with sql.js to eliminate native compilation failures
better-sqlite3 requires prebuilt binaries or node-gyp compilation, which
fails on newer Node versions (e.g. 25.x) that lack prebuilds. sql.js uses
WASM-compiled SQLite with zero native dependencies, making installation
reliable across all platforms and Node versions.
Closes#355
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Initial plan
* Add adaptive reconciliation, concrete remediation steps, and xxHash32 JS fallback
- auto.ts: final reconciliation pass before halting on loop detection
(runs skipExecuteTask to write blocker artifacts and advance pipeline)
- auto.ts: adaptive retry on prevCount>=2: write stub summary when still
missing after two agent sessions, so the agent has a recovery context
- auto.ts: buildLoopRemediationSteps() helper with concrete manual steps
when automatic reconciliation cannot resolve the unit
- xxhash/index.ts: pure-JS xxHash32 fallback when native addon does not
export xxHash32 (prevents 'native.xxHash32 is not a function' crash)
- idle-recovery.test.ts: tests for buildLoopRemediationSteps and loop-recovery
path in skipExecuteTask
Co-authored-by: glittercowboy <186001655+glittercowboy@users.noreply.github.com>
* Address code review feedback
- xxhash/index.ts: extract accumulate() helper to remove duplicate lane
processing lines in the 16-byte loop
- auto.ts: replace magic number 2 with named constant STUB_RECOVERY_THRESHOLD
- idle-recovery.test.ts: add comment explaining the 3 (== MAX_UNIT_DISPATCHES)
used in the loop-recovery test
Co-authored-by: glittercowboy <186001655+glittercowboy@users.noreply.github.com>
* Address PR review: verify post-state, fix stub wording, fix checkbox syntax, add fallback test
- auto.ts (MAX branch): check verifyExpectedArtifact() after skipExecuteTask()
before advancing; annotate both conditions explaining what each validates
- auto.ts (self-repair branch): guard advance with verifyExpectedArtifact() so
regex mismatches in the slice plan don't silently re-dispatch
- auto.ts (stub-recovery): write stub summary directly with "PARTIAL RECOVERY"
wording instead of using skipExecuteTask (which would claim "exhausted N attempts")
- auto.ts (remediation): fix checkbox example to "- [x] **${tid}:" (no trailing **)
- xxhash/index.ts: export xxHash32Fallback so CI can test JS path independently
- native/src/index.ts: re-export xxHash32Fallback
- xxhash.test.mjs: add "xxHash32Fallback (pure-JS path)" describe block that
validates the JS implementation against the reference on all test cases
Co-authored-by: glittercowboy <186001655+glittercowboy@users.noreply.github.com>
* chore: retrigger CI
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: glittercowboy <186001655+glittercowboy@users.noreply.github.com>
Co-authored-by: CI Trigger <noreply@github.com>
Model variants like `claude-opus-4-6[1m]` use bracket suffixes to
differentiate context window configurations internally, but the
Anthropic API only accepts base model IDs (e.g. `claude-opus-4-6`).
Sending the full variant ID via OAuth (Claude Max/Pro) causes a 404:
{"type":"not_found_error","message":"model: claude-opus-4-6[1m]"}
Strip any `[...]` suffix from model.id for OAuth requests only.
API key auth is left unchanged since the behavior there is unverified.
On macOS the Alt key is the Option key (⌥), but all UI hints showed
"Alt+". Added formatKeyForDisplay() utility that converts alt+ to ⌥
on darwin, applied it in formatKeys() for dynamic keybinding hints,
and updated hardcoded strings in tree-selector, models-selector,
settings-selector, auto-mode dashboard, and extension shortcut display.
Hashline prefixes (e.g. "1#BQ:") were leaking into the TUI display
for file reads, showing as weird characters to users. Strip them
before rendering since they're only meant for model consumption.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Anthropic's 429 responses include retry-after and x-ratelimit-reset-*
headers that tell us exactly when to retry. Previously we ignored these
and used exponential backoff (2s, 4s, 8s), which is both wrong and
misleading in the UI countdown.
- Add retryAfterMs to AssistantMessage as the structured carrier
- Extract retry-after / x-ratelimit-reset-requests / x-ratelimit-reset-tokens
from Anthropic SDK APIError.headers in the provider catch block
- Session uses retryAfterMs when present (capped by maxDelayMs=60s),
falls back to exponential backoff for errors with no timing hint
The UI countdown now shows the actual Anthropic reset time. No UI changes needed.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Lines exceeding terminal width are now silently truncated at the render
boundary rather than throwing a fatal error that kills the session.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: add native Rust output truncation module
Line-boundary-aware truncation for tool outputs (bash, grep, file reads),
replacing JS byte-counting with native Rust via napi-rs. Supports head,
tail, and both modes. Counts by UTF-8 bytes, respects line boundaries,
uses memchr for fast newline scanning.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix: remove unsafe blocks and fix truncation message byte counts
Replace unsafe from_utf8_unchecked with safe from_utf8().expect() —
the invariant (splitting at newline boundaries) is sound but the perf
difference is negligible, so no reason to use unsafe.
Fix truncateOutput messages that reported the byte budget as "bytes
truncated" instead of the actual number of bytes removed.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat: replace pure-JS xxHash32 with native Rust implementation via napi
The hashline edit tool calls xxHash32 on every line of every file read/edit.
Moving this to a native Rust implementation (xxhash-rust crate) eliminates
JS overhead for this hot path. Hash output is identical -- verified by tests
comparing native vs JS reference across 11 input vectors including empty
strings, short/long inputs, unicode, and seeded variants.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix: use typed native interface and remove version-drag comment in xxhash wrapper
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Replaces the multi-pass JS pipeline (TextDecoder → stripAnsi → sanitizeBinaryOutput)
in bash-executor.ts with a single native Rust call that handles UTF-8 decoding,
ANSI stripping, binary sanitization, and CR removal in one pass.
Key features:
- StreamState tracks incomplete UTF-8 and ANSI sequences across chunk boundaries
- Standalone stripAnsiNative() and sanitizeBinaryOutputNative() for use elsewhere
- Comprehensive test coverage for split multibyte, split ANSI, binary data
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Add the 1M context variant of Claude Opus 4.6 to the model registry
and fix model resolver to try exact match before glob detection, so
model IDs containing bracket characters (like [1m]) are not
misinterpreted as glob patterns.
* feat: add native Rust streaming JSON parser for LLM tool call argument parsing
Replaces the JS partial-json library with a Rust implementation exposed via napi-rs.
The parser handles incomplete JSON from streaming deltas by closing unclosed strings,
objects, arrays, removing trailing commas, and completing truncated literals.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix: handle truncated numbers and remove dead partial-json dependency
Adds truncated number recovery (e.g. `{"key": 12`, `{"key": 3.`, `{"key": 1e`)
to the Rust streaming JSON parser, and removes the now-unused `partial-json`
npm dependency from pi-ai.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat: add task isolation for subagent filesystem safety
Subagents can run in isolated git worktrees (or FUSE overlays on Linux)
so concurrent tasks don't stomp on each other's files. Changes are
captured as unified diffs and merged back via git apply.
- New isolation.ts module with worktree and FUSE overlay backends
- TaskIsolationSettings in settings-manager (mode + merge strategy)
- isolated parameter on the subagent tool schema
- Baseline capture/apply mirrors the parent repo's dirty state
- Process exit handler for best-effort cleanup of stale worktrees
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: correct delta capture to exclude parent baseline state
The worktree backend now commits a baseline snapshot after applying the
parent's dirty state, so captureDeltaPatch diffs only the subagent's
actual changes against the post-baseline HEAD (not the original HEAD).
The FUSE overlay backend tracks the parent's dirty file set at mount
time and filters the upper dir during delta capture to exclude inherited
dirty files.
Also removes dead code: findGitRoot (unused), readIsolationMergeStrategy
(exported but never called).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The async-jobs PR (#260) accidentally dropped `bashInterceptor` from the
Settings interface and the getBashInterceptorEnabled/getBashInterceptorRules
methods from SettingsManager, breaking the TypeScript build on main.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Fix cat rule to exclude heredoc syntax (cat <<EOF) via negative lookahead
- Fix write rule: exclude >> append and digit-prefixed fd redirects (2>)
using lookbehind (?<![|>\d])>(?!>)
- Add compileInterceptor() — pre-compiles rules once at construction time
instead of on every bash call; export CompiledInterceptor type
- Update createBashTool to use pre-compiled interceptor instance
- Add 33 unit tests covering all rules, edge cases, and pass-throughs
Regex-based pre-execution check in the bash tool blocks shell commands
(grep, cat, sed -i, etc.) when the dedicated replacement tool is available
in the session. Configurable via bashInterceptor settings.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Rename all platform packages from @gsd/engine-* to @gsd-build/engine-*
to match the npm org. Remove the darwin-arm64 binary from git and
native/addon from files — production binaries come exclusively from
CI-published platform packages.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Support multiple API keys per provider with automatic rotation:
- AuthStorageData accepts single credential or array per provider
- Round-robin selection across credentials (no sessionId)
- Session-sticky hashing when sessionId is provided
- Credential backoff on rate limits (30s), quota exhaustion (30min),
server errors (20s)
- markUsageLimitReached() backs off failing credential and returns
whether an alternate is available
- Login accumulation: duplicate provider logins append API keys
instead of replacing
- Agent retry handler tries credential fallback before counting
against retry budget (immediate retry, no delay)
- All getApiKey call sites thread sessionId for sticky selection
Backward compatible: single credentials work unchanged.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add the esbuild/swc pattern for distributing platform-specific native
binaries via npm optional dependencies. Each supported platform gets its
own @gsd/engine-{platform} package containing just the .node binary.
- 5 platform package stubs (darwin-arm64, darwin-x64, linux-x64-gnu,
linux-arm64-gnu, win32-x64-msvc) with os/cpu filters
- Rewritten native loader: tries npm package first, then local build
- Version sync script keeps platform packages in lock-step with root
- GitHub Actions workflow for cross-platform build + publish on tag push
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The native .node binary was excluded from npm pack due to native/.gitignore
ignoring addon/. Add native/.npmignore (overrides .gitignore for npm) and
include native/addon in the files whitelist. Also improve the error message
in the native loader to list supported platforms and link to issues.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Implements a Rust napi-rs module that parses YAML-like frontmatter,
markdown sections, and roadmap structures from .gsd/ files. Provides
parseFrontmatter, extractSection, extractAllSections, batchParseGsdFiles,
and parseRoadmapFile functions exposed via @gsd/native. The JS parsers
in files.ts fall back transparently when the native module is unavailable.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Move the edit tool's hot-path diffing operations from JS to native Rust:
- `normalizeForFuzzyMatch`: single-pass Unicode normalization (smart quotes,
dashes, special spaces, trailing whitespace)
- `fuzzyFindText`: exact-then-fuzzy substring search with UTF-16 index
conversion for JS compatibility
- `generateDiff`: unified diff generation using the `similar` crate
(Myers' algorithm with optimizations)
The Rust module at `native/crates/engine/src/diff.rs` exposes three napi
functions. The TypeScript wrapper at `packages/native/src/diff/` follows
the existing module pattern. `edit-diff.ts` now delegates to native
implementations while keeping line-ending handling and file I/O in JS.
18 tests covering normalization, fuzzy matching (including UTF-16 index
correctness with emoji/surrogate pairs), and diff generation.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@gsd/native shipped raw .ts files in node_modules, which Node.js
refuses to import (ERR_UNSUPPORTED_NODE_MODULES_TYPE_STRIPPING on
Node 22/24, ERR_UNKNOWN_FILE_EXTENSION on Node 20). Add tsc build
step, point exports at dist/, and add to bundleDependencies.
Closes#248
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
TTSR's checkDelta() runs O(rules x conditions) regex evaluations per
streaming token — the hottest path in GSD. This adds a Rust native
module that compiles all condition patterns into a single RegexSet,
testing them in one DFA pass instead of sequential JS RegExp iteration.
The TtsrManager transparently uses the native engine when available and
falls back to the existing JS regex loop when it is not.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace manual binary header parsing (PNG/JPEG/GIF/WebP) in terminal-image.ts
with the native @gsd/native/image module, and replace photon-node (WASM) with
native N-API calls for image resize and format conversion.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The autocomplete file search no longer spawns the external `fd` binary via
spawnSync. It calls the in-process Rust fuzzyFind() function from @gsd/native,
which handles directory walking, gitignore, hidden files, and fuzzy scoring
in a single native call. The fdPath constructor parameter and ensureTool("fd")
download are removed since the binary is no longer needed.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Swap visibleWidth, wrapTextWithAnsi, truncateToWidth, sliceWithWidth, and
extractSegments to delegate to the native Rust text module. Adapter maps
the JS ellipsis string API to the native EllipsisKind enum. Functions
without native equivalents (getSegmenter, extractAnsiCode, applyBackgroundToLine,
isWhitespaceChar, isPunctuationChar) are retained. Reduces utils.ts from
~900 lines to ~180 lines.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Use the Rust-backed arboard clipboard (via @gsd/native/clipboard) for
text copy and image read, replacing the platform-tool shelling
(pbcopy/xclip/xsel) and @mariozechner/clipboard optional dependency.
OSC 52 is preserved as a fallback for SSH/mosh sessions. Linux Wayland
still falls back to wl-paste/xclip for image reads since arboard may
lack compositor access from a terminal.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
