On macOS the Alt key is the Option key (⌥), but all UI hints showed
"Alt+". Added formatKeyForDisplay() utility that converts alt+ to ⌥
on darwin, applied it in formatKeys() for dynamic keybinding hints,
and updated hardcoded strings in tree-selector, models-selector,
settings-selector, auto-mode dashboard, and extension shortcut display.
Hashline prefixes (e.g. "1#BQ:") were leaking into the TUI display
for file reads, showing as weird characters to users. Strip them
before rendering since they're only meant for model consumption.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Anthropic's 429 responses include retry-after and x-ratelimit-reset-*
headers that tell us exactly when to retry. Previously we ignored these
and used exponential backoff (2s, 4s, 8s), which is both wrong and
misleading in the UI countdown.
- Add retryAfterMs to AssistantMessage as the structured carrier
- Extract retry-after / x-ratelimit-reset-requests / x-ratelimit-reset-tokens
from Anthropic SDK APIError.headers in the provider catch block
- Session uses retryAfterMs when present (capped by maxDelayMs=60s),
falls back to exponential backoff for errors with no timing hint
The UI countdown now shows the actual Anthropic reset time. No UI changes needed.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Lines exceeding terminal width are now silently truncated at the render
boundary rather than throwing a fatal error that kills the session.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: add native Rust output truncation module
Line-boundary-aware truncation for tool outputs (bash, grep, file reads),
replacing JS byte-counting with native Rust via napi-rs. Supports head,
tail, and both modes. Counts by UTF-8 bytes, respects line boundaries,
uses memchr for fast newline scanning.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix: remove unsafe blocks and fix truncation message byte counts
Replace unsafe from_utf8_unchecked with safe from_utf8().expect() —
the invariant (splitting at newline boundaries) is sound but the perf
difference is negligible, so no reason to use unsafe.
Fix truncateOutput messages that reported the byte budget as "bytes
truncated" instead of the actual number of bytes removed.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat: replace pure-JS xxHash32 with native Rust implementation via napi
The hashline edit tool calls xxHash32 on every line of every file read/edit.
Moving this to a native Rust implementation (xxhash-rust crate) eliminates
JS overhead for this hot path. Hash output is identical -- verified by tests
comparing native vs JS reference across 11 input vectors including empty
strings, short/long inputs, unicode, and seeded variants.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix: use typed native interface and remove version-drag comment in xxhash wrapper
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Replaces the multi-pass JS pipeline (TextDecoder → stripAnsi → sanitizeBinaryOutput)
in bash-executor.ts with a single native Rust call that handles UTF-8 decoding,
ANSI stripping, binary sanitization, and CR removal in one pass.
Key features:
- StreamState tracks incomplete UTF-8 and ANSI sequences across chunk boundaries
- Standalone stripAnsiNative() and sanitizeBinaryOutputNative() for use elsewhere
- Comprehensive test coverage for split multibyte, split ANSI, binary data
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
- idle-recovery.test.ts: Use 'unknown-type' instead of 'execute-task'
for null-path test (execute-task now has artifact paths for task summaries)
- app-smoke.test.ts: Remove AGENTS.md assertions (merged into system.md
in commit 0b6d88f). Add ENOBUFS skip handling for tarball tests
(system buffer exhaustion is not a code issue).
Add the 1M context variant of Claude Opus 4.6 to the model registry
and fix model resolver to try exact match before glob detection, so
model IDs containing bracket characters (like [1m]) are not
misinterpreted as glob patterns.
Prevents publishing gsd-pi to npm if any @gsd-build/engine-* optional
dependency is missing at the expected version. Avoids the failure mode
seen in 2.10.5 where the main package shipped before platform packages
were available, causing 'Cannot find module' errors on fresh installs.
* feat: add native Rust streaming JSON parser for LLM tool call argument parsing
Replaces the JS partial-json library with a Rust implementation exposed via napi-rs.
The parser handles incomplete JSON from streaming deltas by closing unclosed strings,
objects, arrays, removing trailing commas, and completing truncated literals.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix: handle truncated numbers and remove dead partial-json dependency
Adds truncated number recovery (e.g. `{"key": 12`, `{"key": 3.`, `{"key": 1e`)
to the Rust streaming JSON parser, and removes the now-unused `partial-json`
npm dependency from pi-ai.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
The v2.10.5 release broke on darwin-arm64 because the main package
was published before the native CI built and published the platform
packages. With exact version pinning, npm silently skips the
optional dep when the version doesn't exist, causing a fatal crash.
Change to >=2.10.2 range so npm installs the latest available
binary. The native API is stable across patch versions.
Also stop sync-platform-versions.cjs from overwriting the ranges
back to exact versions during CI.
Adds a git diff check after sync-platform-versions so npm publish fails
if the sync had to make changes. Prevents a repeat of #276 where
optionalDependencies were out of sync with the published version.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat: add task isolation for subagent filesystem safety
Subagents can run in isolated git worktrees (or FUSE overlays on Linux)
so concurrent tasks don't stomp on each other's files. Changes are
captured as unified diffs and merged back via git apply.
- New isolation.ts module with worktree and FUSE overlay backends
- TaskIsolationSettings in settings-manager (mode + merge strategy)
- isolated parameter on the subagent tool schema
- Baseline capture/apply mirrors the parent repo's dirty state
- Process exit handler for best-effort cleanup of stale worktrees
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: correct delta capture to exclude parent baseline state
The worktree backend now commits a baseline snapshot after applying the
parent's dirty state, so captureDeltaPatch diffs only the subagent's
actual changes against the post-baseline HEAD (not the original HEAD).
The FUSE overlay backend tracks the parent's dirty file set at mount
time and filters the upper dir during delta capture to exclude inherited
dirty files.
Also removes dead code: findGitRoot (unused), readIsolationMergeStrategy
(exported but never called).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The async-jobs PR (#260) accidentally dropped `bashInterceptor` from the
Settings interface and the getBashInterceptorEnabled/getBashInterceptorRules
methods from SettingsManager, breaking the TypeScript build on main.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
When running `gsd config` with existing LLM auth or web search
configured, show a 'Keep current (provider)' option at the top
so users don't have to re-authenticate.
Co-authored-by: Juan Francisco Lebrero <fran@Juans-MacBook-Air.local>
Fix optionalDependencies version sync — 2.10.4 shipped with engine packages pinned to 2.10.2 (the broken version), so users never got the fixed binaries. Closes#276.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
After LLM provider login, ask how to search the web:
- Anthropic built-in (no key needed, shown when using Claude)
- Brave Search (API key)
- Tavily (API key)
- Skip
Moves Brave/Brave Answers out of the generic tool keys step into
the dedicated web search step for better discoverability.
Replace the flat 9-option provider list with a two-step flow:
1. How to sign in? (Browser login / API key / Skip)
2. Which provider? (filtered by auth method)
This reduces cognitive load on first launch — users pick their
auth method first, then see only the relevant providers.
Adds a CLI subcommand that checks npm for the latest version and
runs `npm install -g gsd-pi@latest` if an update is available.
Prints current/latest version and clear success/failure messages.
- Fix cat rule to exclude heredoc syntax (cat <<EOF) via negative lookahead
- Fix write rule: exclude >> append and digit-prefixed fd redirects (2>)
using lookbehind (?<![|>\d])>(?!>)
- Add compileInterceptor() — pre-compiles rules once at construction time
instead of on every bash call; export CompiledInterceptor type
- Update createBashTool to use pre-compiled interceptor instance
- Add 33 unit tests covering all rules, edge cases, and pass-throughs
The merge conflict auto-resolution only handled RUNTIME_EXCLUSION_PATHS
(.gsd/activity/, .gsd/runtime/, .gsd/metrics.json, etc). Planning
artifacts like DECISIONS.md, REQUIREMENTS.md, PROJECT.md, and
ROADMAP.md were not covered, causing the merge to fail and auto-mode
to loop when both main and the slice branch modified these files.
Now any conflict limited to .gsd/ files is auto-resolved by taking
the slice branch version (--theirs), since the LLM just finished
updating these artifacts during complete-slice.
macos-13 runners are deprecated on GitHub Actions. Use macos-14 (ARM64)
and cross-compile for x86_64-apple-darwin instead.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Regex-based pre-execution check in the bash tool blocks shell commands
(grep, cat, sed -i, etc.) when the dedicated replacement tool is available
in the session. Configurable via bashInterceptor settings.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Rename all platform packages from @gsd/engine-* to @gsd-build/engine-*
to match the npm org. Remove the darwin-arm64 binary from git and
native/addon from files — production binaries come exclusively from
CI-published platform packages.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Support multiple API keys per provider with automatic rotation:
- AuthStorageData accepts single credential or array per provider
- Round-robin selection across credentials (no sessionId)
- Session-sticky hashing when sessionId is provided
- Credential backoff on rate limits (30s), quota exhaustion (30min),
server errors (20s)
- markUsageLimitReached() backs off failing credential and returns
whether an alternate is available
- Login accumulation: duplicate provider logins append API keys
instead of replacing
- Agent retry handler tries credential fallback before counting
against retry budget (immediate retry, no delay)
- All getApiKey call sites thread sessionId for sticky selection
Backward compatible: single credentials work unchanged.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Use CARGO_ENCODED_RUSTFLAGS="" to override target-specific rustflags
in .cargo/config.toml (RUSTFLAGS env var doesn't override [target.*])
- Fix sync script filename: .cjs not .js
- Fail hard when no library found instead of silent exit 0
- Only tolerate "already published" errors, fail on real publish errors
- Use --ignore-scripts for main package publish to skip redundant build
- Use cd "$GITHUB_WORKSPACE" instead of cd - for reliability
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add the esbuild/swc pattern for distributing platform-specific native
binaries via npm optional dependencies. Each supported platform gets its
own @gsd/engine-{platform} package containing just the .node binary.
- 5 platform package stubs (darwin-arm64, darwin-x64, linux-x64-gnu,
linux-arm64-gnu, win32-x64-msvc) with os/cpu filters
- Rewritten native loader: tries npm package first, then local build
- Version sync script keeps platform packages in lock-step with root
- GitHub Actions workflow for cross-platform build + publish on tag push
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The native .node binary was excluded from npm pack due to native/.gitignore
ignoring addon/. Add native/.npmignore (overrides .gitignore for npm) and
include native/addon in the files whitelist. Also improve the error message
in the native loader to list supported platforms and link to issues.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Closes community discussion (#86) about potential ToS implications
of using subscription OAuth tokens outside native applications.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
