Anthropic now blocks third-party apps from using Pro/Max subscription
quotas via direct API calls. This change makes the claude-code provider
(which delegates to the local claude CLI binary) the default path for
Anthropic subscription users — TOS-compliant because requests flow
through Anthropic's own infrastructure.
Changes:
- Enhanced readiness check to verify CLI auth status (not just binary)
- Startup migration: auto-switch anthropic → claude-code when CLI ready
- Error recovery: auto-switch on third-party 400 block error
- Onboarding: removed Anthropic from OAuth, added Claude CLI option
- Added claude-code to flat-rate providers (no dynamic routing benefit)
Closes#3772
PR #3744 and #3765 introduced contentCursorRow which diverges from the
actual terminal cursor position after IME repositioning. computeLineDiff
computes ANSI escape movements which are relative to where the cursor
physically is — that must be hardwareCursorRow, not a phantom position.
Remove contentCursorRow entirely and revert computeLineDiff baseline to
hardwareCursorRow. The ghost-line test was asserting wrong movement
direction (UP from phantom position vs DOWN from actual cursor).
Closes#3764
Verify that contentCursorRow is correctly maintained across renders
and that IME repositioning does not cause spurious cursor jumps
during normal typing or content shrinking.
Refs #3764
PR #3744 fixed autocomplete ghost lines by introducing a local
contentCursorRow initialized from this.cursorRow, but this.cursorRow
tracks the content end (last line), not where the cursor actually
ended up after rendering. This caused computeLineDiff to compute
wrong movement deltas, making content clear and jump on every keystroke.
Fix: add an instance field contentCursorRow that stores finalCursorRow
after content rendering but before positionHardwareCursor moves the
cursor for IME. This correctly separates three cursor concepts:
- cursorRow: logical content end (viewport calculation)
- contentCursorRow: post-render cursor position (movement baseline)
- hardwareCursorRow: actual terminal cursor (may differ due to IME)
Closes#3764
The workflow-logger coverage test (#3348) requires all catch blocks in
migrated files to include logging. Add logWarning for the expected
failure case when nativeWorktreeRemove fails on orphaned directories.
Refs #3739
Address adversarial review findings:
1. Timed-out pre/post verification continues running in background and
can mutate s.currentUnit for the wrong unit. Fix: null out
s.currentUnit on timeout so late async completions are harmless
(all side effects in postUnitPreVerification guard on s.currentUnit).
2. Finalize timeouts were treated as successful iterations, resetting
consecutiveErrors and enabling silent infinite churn. Fix: add
consecutiveFinalizeTimeouts counter to LoopState, increment on each
timeout, hard-stop auto-mode after MAX_FINALIZE_TIMEOUTS (3)
consecutive timeouts. Reset to 0 on successful finalize.
Both fixes apply symmetrically to pre and post verification timeouts.
Refs #3757
postUnitPostVerification already has a 60s timeout guard (#2344) but
postUnitPreVerification was called with bare await — if any async
operation inside it never resolves (browser teardown, worktree sync,
safety harness validation), the auto-loop freezes permanently with no
error, notification, or recovery.
Wrap postUnitPreVerification in the same withTimeout() pattern with a
dedicated FINALIZE_PRE_TIMEOUT_MS constant. On timeout, log a warning
and force-continue to the next iteration.
Closes#3757
Keyboard shortcut hints were hardcoded as Ctrl+Alt+X everywhere except
auto-dashboard.ts which had an inline platform check. On macOS these
should render as ⌃⌥X.
- Add formatShortcut() to files.ts — converts Ctrl/Alt/Shift/Cmd
modifiers to macOS symbols (⌃/⌥/⇧/⌘) when process.platform is darwin
- Replace all inline platform checks and hardcoded hints with
formatShortcut() calls
- Use template variables in system.md for shortcut hints
- Update comments in overlay files for consistency
- Add 7 tests covering all modifier conversions and passthrough
Closes#3753
The tool_result handler called markDepthVerified() whenever
ask_user_questions returned any response with a depth_verification
question ID — without checking what the user actually selected.
Selecting "Not quite", "None of the above", or garbage input all
unlocked the gate.
- Extract isDepthConfirmationAnswer() into write-gate.ts with structural
validation: cross-references selected answer against the question's
defined options, only accepting an exact match of the first option
(confirmation by convention). Rejects free-form "Other" text and
decouples from any specific label substring.
- Harden block message with explicit anti-bypass language
- Add anti-bypass instructions to all three discuss prompts
- Add 8 new tests covering: structural validation, free-form bypass
rejection, label-drift resilience, fallback behavior, edge cases
Closes#3749
Use the rendered content row as the shrink diff baseline instead of\nreusing the IME hardware cursor row. Add a focused TUI regression test\nthat reproduces the ghost-line cleanup path when autocomplete shrinks.\n\nCloses #3721
Strip planner-style path annotations before pre-execution checks compare\ninputs and expected outputs. This keeps existing files, prior outputs,\nand ordering checks aligned even when task-plan entries include inline\ndescriptions.\n\nCloses #3742
The function signature changed from boolean to "present" | "absent" |
"unknown" but three test assertions still compared against true/false.
Update assertions to match the new return type.
When a milestone completes but the session ends before teardown runs,
the milestone branch and worktree directory are orphaned — the DB says
complete so auto-mode won't re-enter, and the teardown is never retried.
Adds auditOrphanedMilestoneBranches() that runs after DB open during
bootstrap. For each milestone/* branch where the DB status is complete:
- If already merged into main → deletes the branch + cleans worktree dir
- If NOT merged → preserves the branch and warns the user
Includes 9 regression tests covering merged/unmerged/active/none-mode
scenarios.
Blocking on "unknown" from hasImplementationArtifacts broke real-world
auto-mode in projects without clean git merge-bases (single-branch,
fresh repos, detached HEAD). The auto-loop silently stopped at
completing-milestone with no visible error.
Reverted to warn-and-proceed for "unknown" — only "absent" (confirmed
no implementation files) blocks completion. This matches the original
fail-open behavior for inconclusive git checks.
1. hasImplementationArtifacts "unknown" now blocks completion instead of
warn-and-proceed. Both auto-dispatch.ts and auto-recovery.ts updated
to treat "unknown" as a stop condition, preventing milestone completion
when git status cannot be verified.
2. Audit log SAFE_KEYS allowlist expanded to include "id", "error", and
"count" fields. SPLIT BRAIN logError entries now persist the entity ID
and rollback error details to audit-log.jsonl for triage/repair.
Adds a pre-write guard in reconcileWorktreeLogs: re-reads the event
log before overwriting and retries if it grew since the initial read.
Prevents appendEvent calls between read and rewrite from being silently
dropped by the atomic overwrite.
1. Paused session file deletion deferred until after lock acquisition.
Previously the file was deleted before acquireSessionLock — if the
lock failed, the pause metadata was lost on disk and in memory,
making the session unresumable. Now the file path is stored in
s.pausedSessionFile and only deleted after successful lock.
2. Lock failure path preserves pause file for retry.
1. plan_task and plan_slice replay now use strict INSERT OR IGNORE
instead of calling insertTask/insertSlice which use ON CONFLICT
DO UPDATE. Prevents replay of older plan events from downgrading
progressed task/slice status back to pending.
2. Type guard on cmd normalization: non-string cmd values are skipped
with a warning instead of throwing.
3. Type guard on extractEntityKey for consistency.
1. Type guard on cmd normalization: non-string cmd values are now
skipped with a warning instead of throwing, preventing replay
from crashing on malformed event lines.
2. complete_milestone replay now validates all slices are closed
before marking milestone complete. Prevents a reordered/partial
event stream from closing a milestone with incomplete work.
3. Type guard on extractEntityKey cmd normalization for consistency.
Addresses Codex adversarial review findings:
1. Migration backup now flushes WAL via PRAGMA wal_checkpoint(TRUNCATE)
before copyFileSync. Without this, the backup could miss committed
data that only exists in the -wal file. Backup failure is now logged
via logWarning instead of silently swallowed.
2. Wave 5 regression tests strengthened:
- Added behavior-level test for skipped/blocked/pending status mapping
to checkbox rendering (not just isClosedStatus helper)
- Added extractEntityKey round-trip tests for underscored cmd formats
- Added unknown cmd → null safety test
Tests isClosedStatus coverage for projections, upsertDecision seq
preservation (ON CONFLICT DO UPDATE vs INSERT OR REPLACE), and
event schema versioning (v:2 field in new events).
Adds tests for plan event entity key extraction and unknown cmd handling.
Fixes empty catch blocks in auto-recovery.ts appendEvent calls that failed
the "no empty catch blocks" CI lint.
Covers event log cmd format normalization (hyphens + underscores),
extractEntityKey for complete-milestone, and isClosedStatus
including skipped status.
Five consistency fixes to eliminate divergence sources:
1. workflow-projections.ts: Direct string comparisons for task/slice status
replaced with isClosedStatus() from status-guards.ts. Skipped tasks now
correctly show checked checkboxes in PLAN.md and ROADMAP.md.
2. gsd-db.ts upsertDecision: INSERT OR REPLACE changed to INSERT ... ON
CONFLICT(id) DO UPDATE SET. Preserves the seq column so decision ordering
in DECISIONS.md is stable after reconcile replay.
3. state.ts: Duplicate private isStatusDone() removed, replaced with alias
to isClosedStatus from status-guards.ts. Single source of truth for
"what counts as closed."
4. gsd-db.ts migrateSchema: Database is now backed up to
gsd.db.backup-v{currentVersion} before running migration steps. A mid-
migration crash no longer leaves a partially-migrated DB with no recovery.
5. workflow-events.ts: WorkflowEvent interface now includes optional v field
(schema version). New events are written with v:2. Legacy events (no v
field) are still accepted. Prevents future cmd-format drift from requiring
another dual-read fix.
Three write-safety fixes:
1. json-persistence.ts: Fixed .tmp suffix replaced with randomized suffix
using crypto.randomBytes(4). Prevents concurrent-write data loss when two
callers write the same JSON file simultaneously (metrics ledger at risk
during parallel slice execution).
2. undo.ts: Raw writeFileSync on PLAN.md replaced with atomicWriteSync.
Prevents crash mid-write from corrupting PLAN.md permanently.
3. triage-resolution.ts: All 6 writeFileSync calls replaced with
atomicWriteSync. Covers PLAN.md inject, REPLAN-TRIGGER.md, REGRESSION.md,
and CONTEXT-DRAFT.md writes.
Five fixes for session lifecycle and recovery reliability:
1. hasImplementationArtifacts now returns tri-state ("present"|"absent"|"unknown")
instead of boolean. "unknown" on git errors lets callers warn+proceed instead
of either silently blocking or silently allowing. Both callers updated.
2. DB-ahead-of-disk split-brain: rollback DELETE in db-writer.ts saveDecisionToDb
and saveRequirementToDb now wrapped in try/catch with logError. A failed
rollback is explicitly logged as SPLIT BRAIN so the orphaned row is auditable.
3. _consecutiveCompleteBootstraps moved from module-level in auto-start.ts into
AutoSession class. Now properly reset by s.reset(), preventing cross-session
counter bleed in long-running processes (VS Code extension).
4. s.paused sticky on lock failure: when acquireSessionLock fails during resume,
s.paused is now set back to false so isAutoPaused() doesn't return true
permanently.
5. nativeCommit empty message replaced with "chore(gsd): reconcile merge state"
to avoid rejection by strict git configurations.
